Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
prgNb8YFEA.exe

Overview

General Information

Sample name:prgNb8YFEA.exe
renamed because original name is a hash value
Original sample name:e248994d1154ecc091a72040543631f6faf42e980b524193b6ea207262a374a7.exe
Analysis ID:1588806
MD5:5314dc731381de014b294374b0eb7666
SHA1:9e3577f1495fdbb76115231a8a6680db0bed3632
SHA256:e248994d1154ecc091a72040543631f6faf42e980b524193b6ea207262a374a7
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • prgNb8YFEA.exe (PID: 2644 cmdline: "C:\Users\user\Desktop\prgNb8YFEA.exe" MD5: 5314DC731381DE014B294374B0EB7666)
    • brontothere.exe (PID: 2892 cmdline: "C:\Users\user\Desktop\prgNb8YFEA.exe" MD5: 5314DC731381DE014B294374B0EB7666)
      • RegSvcs.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\prgNb8YFEA.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 4696 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • brontothere.exe (PID: 6448 cmdline: "C:\Users\user\AppData\Local\Milburr\brontothere.exe" MD5: 5314DC731381DE014B294374B0EB7666)
      • RegSvcs.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\Milburr\brontothere.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "FTP", "FTP Server": "ftp://ftp.hogarsancamilo.org/", "FTP Username": "Johnson@hogarsancamilo.org", "Password": "eg0wtRsF5HKA", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3754528656.000000000283B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1257:$a1: get_encryptedPassword
      • 0x153b:$a2: get_encryptedUsername
      • 0x1063:$a3: get_timePasswordChanged
      • 0x115e:$a4: get_passwordField
      • 0x126d:$a5: set_encryptedPassword
      • 0x28ee:$a7: get_logins
      • 0x2851:$a10: KeyLoggerEventArgs
      • 0x24bc:$a11: KeyLoggerEventArgsEventHandler
      00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x624d:$x1: $%SMTPDV$
      • 0x4c10:$x2: $#TheHashHere%&
      • 0x4bbc:$x3: %FTPDV$
      • 0x6323:$x4: $%TelegramDv$
      • 0x24bc:$x5: KeyLoggerEventArgs
      • 0x2851:$x5: KeyLoggerEventArgs
      • 0x6219:$m2: Clipboard Logs ID
      • 0x6473:$m2: Screenshot Logs ID
      • 0x6583:$m2: keystroke Logs ID
      • 0x685d:$m3: SnakePW
      • 0x644b:$m4: \SnakeKeylogger\
      0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.brontothere.exe.14c0000.1.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          11.2.brontothere.exe.14c0000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x12657:$a1: get_encryptedPassword
          • 0x1293b:$a2: get_encryptedUsername
          • 0x12463:$a3: get_timePasswordChanged
          • 0x1255e:$a4: get_passwordField
          • 0x1266d:$a5: set_encryptedPassword
          • 0x13cee:$a7: get_logins
          • 0x13c51:$a10: KeyLoggerEventArgs
          • 0x138bc:$a11: KeyLoggerEventArgsEventHandler
          11.2.brontothere.exe.14c0000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1a01f:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x19251:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x19684:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1a6c3:$a5: \Kometa\User Data\Default\Login Data
          11.2.brontothere.exe.14c0000.1.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
          • 0x13249:$s1: UnHook
          • 0x13250:$s2: SetHook
          • 0x13258:$s3: CallNextHook
          • 0x13265:$s4: _hook
          11.2.brontothere.exe.14c0000.1.unpackMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x1764d:$x1: $%SMTPDV$
          • 0x16010:$x2: $#TheHashHere%&
          • 0x15fbc:$x3: %FTPDV$
          • 0x17723:$x4: $%TelegramDv$
          • 0x138bc:$x5: KeyLoggerEventArgs
          • 0x13c51:$x5: KeyLoggerEventArgs
          • 0x17619:$m2: Clipboard Logs ID
          • 0x17873:$m2: Screenshot Logs ID
          • 0x17983:$m2: keystroke Logs ID
          • 0x17c5d:$m3: SnakePW
          • 0x1784b:$m4: \SnakeKeylogger\
          Click to see the 23 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs" , ProcessId: 4696, ProcessName: wscript.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs" , ProcessId: 4696, ProcessName: wscript.exe

          Data Obfuscation

          barindex
          Sigma detected: Drops script at startup location
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Milburr\brontothere.exe, ProcessId: 2892, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-11T05:44:14.428651+010028033053Unknown Traffic192.168.2.749703104.21.112.1443TCP
          2025-01-11T05:44:17.317027+010028033053Unknown Traffic192.168.2.749713104.21.112.1443TCP
          2025-01-11T05:44:18.661966+010028033053Unknown Traffic192.168.2.749725104.21.112.1443TCP
          2025-01-11T05:44:21.524781+010028033053Unknown Traffic192.168.2.749744104.21.112.1443TCP
          2025-01-11T05:44:25.519627+010028033053Unknown Traffic192.168.2.749776104.21.112.1443TCP
          2025-01-11T05:44:30.694284+010028033053Unknown Traffic192.168.2.749817104.21.112.1443TCP
          2025-01-11T05:44:31.996574+010028033053Unknown Traffic192.168.2.749823104.21.112.1443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-11T05:44:12.839145+010028032742Potentially Bad Traffic192.168.2.749701193.122.6.16880TCP
          2025-01-11T05:44:13.792316+010028032742Potentially Bad Traffic192.168.2.749701193.122.6.16880TCP
          2025-01-11T05:44:15.432902+010028032742Potentially Bad Traffic192.168.2.749704193.122.6.16880TCP
          2025-01-11T05:44:16.698738+010028032742Potentially Bad Traffic192.168.2.749707193.122.6.16880TCP
          2025-01-11T05:44:24.089423+010028032742Potentially Bad Traffic192.168.2.749762193.122.6.16880TCP
          2025-01-11T05:44:24.964350+010028032742Potentially Bad Traffic192.168.2.749762193.122.6.16880TCP
          2025-01-11T05:44:26.214397+010028032742Potentially Bad Traffic192.168.2.749783193.122.6.16880TCP
          2025-01-11T05:44:27.448861+010028032742Potentially Bad Traffic192.168.2.749791193.122.6.16880TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000C.00000002.3754528656.0000000002671000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://ftp.hogarsancamilo.org/", "FTP Username": "Johnson@hogarsancamilo.org", "Password": "eg0wtRsF5HKA", "Version": "5.1"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeReversingLabs: Detection: 60%
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeVirustotal: Detection: 73%Perma Link
          Multi AV Scanner detection for submitted file
          Source: prgNb8YFEA.exeVirustotal: Detection: 73%Perma Link
          Source: prgNb8YFEA.exeReversingLabs: Detection: 60%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: prgNb8YFEA.exeJoe Sandbox ML: detected

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: prgNb8YFEA.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49702 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49769 version: TLS 1.0
          Source: Binary string: wntdll.pdbUGP source: brontothere.exe, 00000007.00000003.1306310184.0000000004700000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 00000007.00000003.1295020976.0000000004560000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 0000000B.00000003.1421324631.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 0000000B.00000003.1418348752.0000000003E00000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: brontothere.exe, 00000007.00000003.1306310184.0000000004700000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 00000007.00000003.1295020976.0000000004560000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 0000000B.00000003.1421324631.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 0000000B.00000003.1418348752.0000000003E00000.00000004.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D84696 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00D84696
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00D8C9C7
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8C93C FindFirstFileW,FindClose,5_2_00D8C93C
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00D8F200
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00D8F35D
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00D8F65E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00D83A2B
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00D83D4E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00D8BF27
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B74696 GetFileAttributesW,FindFirstFileW,FindClose,7_2_00B74696
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,7_2_00B7C9C7
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7C93C FindFirstFileW,FindClose,7_2_00B7C93C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_00B7F200
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_00B7F35D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_00B7F65E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00B73A2B
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00B73D4E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_00B7BF27
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B74696 GetFileAttributesW,FindFirstFileW,FindClose,11_2_00B74696
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00B7C9C7
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7C93C FindFirstFileW,FindClose,11_2_00B7C93C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00B7F200
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00B7F35D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00B7F65E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00B73A2B
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00B73D4E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00B7BF27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02C9FA39h8_2_02C9F778
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02C9E61Fh8_2_02C9E431
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02C9EFA9h8_2_02C9E431
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_02C9D7F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054E1011h8_2_054E0D60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EC761h8_2_054EC4B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054E15D8h8_2_054E11C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054ED011h8_2_054ECD68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054E15D8h8_2_054E1506
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EBEB1h8_2_054EBC08
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EF729h8_2_054EF480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054E0751h8_2_054E04A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EEA21h8_2_054EE778
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EB1A9h8_2_054EAF00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EBA59h8_2_054EB7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054ED8C1h8_2_054ED618
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EE171h8_2_054EDEC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054E0BB1h8_2_054E0900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054ECBB9h8_2_054EC910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054ED469h8_2_054ED1C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054E15D8h8_2_054E11B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054E02F1h8_2_054E0040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EC309h8_2_054EC060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EF2D1h8_2_054EF028
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EFB81h8_2_054EF8D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EB601h8_2_054EB358
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EE5C9h8_2_054EE320
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EEE79h8_2_054EEBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054EDD19h8_2_054EDA70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E7BF5h8_2_068E78B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E6473h8_2_068E61C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E4A39h8_2_068E4790
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E6A01h8_2_068E6758
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E5741h8_2_068E5498
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E0741h8_2_068E0498
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E7709h8_2_068E7460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E5FF1h8_2_068E5D48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E6E59h8_2_068E6BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E4E91h8_2_068E4BE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E45B9h8_2_068E4310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E5B99h8_2_068E58F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E0B99h8_2_068E08F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E72B1h8_2_068E7008
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E02E9h8_2_068E0040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E52E9h8_2_068E5040

          Networking

          barindex
          Yara detected Generic Downloader
          Source: Yara matchFile source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
          Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
          Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49704 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49707 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49783 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49791 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49762 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49776 -> 104.21.112.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49725 -> 104.21.112.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49713 -> 104.21.112.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49823 -> 104.21.112.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49703 -> 104.21.112.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49744 -> 104.21.112.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49817 -> 104.21.112.1:443
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49702 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49769 version: TLS 1.0
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D925E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,5_2_00D925E2
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: RegSvcs.exe, 00000008.00000002.3754613774.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002735000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
          Source: RegSvcs.exe, 00000008.00000002.3754613774.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002729000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002735000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002778000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: RegSvcs.exe, 00000008.00000002.3754613774.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: brontothere.exe, 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, brontothere.exe, 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
          Source: RegSvcs.exe, 00000008.00000002.3754613774.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000274D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
          Source: RegSvcs.exe, 00000008.00000002.3754613774.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: RegSvcs.exe, 00000008.00000002.3754613774.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002735000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002778000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: brontothere.exe, 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, brontothere.exe, 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
          Source: RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002778000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
          Source: RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1898
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
          Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D9425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_00D9425A
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D94458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00D94458
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B84458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,7_2_00B84458
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B84458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00B84458
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D9425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_00D9425A
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D80219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_00D80219
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DACDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00DACDAC
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,7_2_00B9CDAC
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_00B9CDAC

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: Process Memory Space: brontothere.exe PID: 2892, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: brontothere.exe PID: 2892, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: Process Memory Space: RegSvcs.exe PID: 6952, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 6952, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: Process Memory Space: brontothere.exe PID: 6448, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: brontothere.exe PID: 6448, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: This is a third-party compiled AutoIt script.5_2_00D23B4C
          Source: prgNb8YFEA.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: prgNb8YFEA.exe, 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5a92bc8e-7
          Source: prgNb8YFEA.exe, 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_9a68f3a4-2
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: This is a third-party compiled AutoIt script.7_2_00B13B4C
          Source: brontothere.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: brontothere.exe, 00000007.00000002.1308456068.0000000000BC5000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ea2221a6-6
          Source: brontothere.exe, 00000007.00000002.1308456068.0000000000BC5000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_41b389bf-9
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: This is a third-party compiled AutoIt script.11_2_00B13B4C
          Source: brontothere.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: brontothere.exe, 0000000B.00000002.1424429262.0000000000BC5000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4a03fbee-9
          Source: brontothere.exe, 0000000B.00000002.1424429262.0000000000BC5000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4569a26f-9
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D23633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,5_2_00D23633
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DAC27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,5_2_00DAC27C
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DAC220 NtdllDialogWndProc_W,5_2_00DAC220
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DAC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,5_2_00DAC49C
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DAC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,5_2_00DAC788
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DAC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,5_2_00DAC8EE
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DAC86D SendMessageW,NtdllDialogWndProc_W,5_2_00DAC86D
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DACBF9 NtdllDialogWndProc_W,5_2_00DACBF9
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DACBAE NtdllDialogWndProc_W,5_2_00DACBAE
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DACB50 NtdllDialogWndProc_W,5_2_00DACB50
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DACB7F NtdllDialogWndProc_W,5_2_00DACB7F
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DACC2E ClientToScreen,NtdllDialogWndProc_W,5_2_00DACC2E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DACDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00DACDAC
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DACD6C GetWindowLongW,NtdllDialogWndProc_W,5_2_00DACD6C
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D21290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,5_2_00D21290
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D21287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E4C8D0,NtdllDialogWndProc_W,5_2_00D21287
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D216DE GetParent,NtdllDialogWndProc_W,5_2_00D216DE
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DAD6C6 NtdllDialogWndProc_W,5_2_00DAD6C6
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D216B5 NtdllDialogWndProc_W,5_2_00D216B5
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D2167D NtdllDialogWndProc_W,5_2_00D2167D
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DAD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,5_2_00DAD74C
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D2189B NtdllDialogWndProc_W,5_2_00D2189B
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DADA9A NtdllDialogWndProc_W,5_2_00DADA9A
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DABF4D NtdllDialogWndProc_W,CallWindowProcW,5_2_00DABF4D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B13633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,7_2_00B13633
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9C220 NtdllDialogWndProc_W,7_2_00B9C220
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,7_2_00B9C27C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,7_2_00B9C49C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,7_2_00B9C788
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,7_2_00B9C8EE
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9C86D SendMessageW,NtdllDialogWndProc_W,7_2_00B9C86D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9CBAE NtdllDialogWndProc_W,7_2_00B9CBAE
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9CBF9 NtdllDialogWndProc_W,7_2_00B9CBF9
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9CB7F NtdllDialogWndProc_W,7_2_00B9CB7F
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9CB50 NtdllDialogWndProc_W,7_2_00B9CB50
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9CC2E ClientToScreen,NtdllDialogWndProc_W,7_2_00B9CC2E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,7_2_00B9CDAC
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9CD6C GetWindowLongW,NtdllDialogWndProc_W,7_2_00B9CD6C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B11290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,7_2_00B11290
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B11287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E4C8D0,NtdllDialogWndProc_W,7_2_00B11287
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B116B5 NtdllDialogWndProc_W,7_2_00B116B5
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B116DE GetParent,NtdllDialogWndProc_W,7_2_00B116DE
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9D6C6 NtdllDialogWndProc_W,7_2_00B9D6C6
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B1167D NtdllDialogWndProc_W,7_2_00B1167D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,7_2_00B9D74C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B1189B NtdllDialogWndProc_W,7_2_00B1189B
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9DA9A NtdllDialogWndProc_W,7_2_00B9DA9A
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9BF4D NtdllDialogWndProc_W,CallWindowProcW,7_2_00B9BF4D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B13633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,11_2_00B13633
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9C220 NtdllDialogWndProc_W,11_2_00B9C220
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,11_2_00B9C27C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,11_2_00B9C49C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,11_2_00B9C788
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,11_2_00B9C8EE
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9C86D SendMessageW,NtdllDialogWndProc_W,11_2_00B9C86D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9CBAE NtdllDialogWndProc_W,11_2_00B9CBAE
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9CBF9 NtdllDialogWndProc_W,11_2_00B9CBF9
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9CB7F NtdllDialogWndProc_W,11_2_00B9CB7F
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9CB50 NtdllDialogWndProc_W,11_2_00B9CB50
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9CC2E ClientToScreen,NtdllDialogWndProc_W,11_2_00B9CC2E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_00B9CDAC
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9CD6C GetWindowLongW,NtdllDialogWndProc_W,11_2_00B9CD6C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B11290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,11_2_00B11290
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B11287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E4C8D0,NtdllDialogWndProc_W,11_2_00B11287
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B116B5 NtdllDialogWndProc_W,11_2_00B116B5
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B116DE GetParent,NtdllDialogWndProc_W,11_2_00B116DE
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9D6C6 NtdllDialogWndProc_W,11_2_00B9D6C6
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B1167D NtdllDialogWndProc_W,11_2_00B1167D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,11_2_00B9D74C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B1189B NtdllDialogWndProc_W,11_2_00B1189B
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9DA9A NtdllDialogWndProc_W,11_2_00B9DA9A
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9BF4D NtdllDialogWndProc_W,CallWindowProcW,11_2_00B9BF4D
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D840B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,5_2_00D840B1
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D78858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74F35590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,5_2_00D78858
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_00D8545F
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,7_2_00B7545F
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_00B7545F
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D2E8005_2_00D2E800
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D4DBB55_2_00D4DBB5
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D2FE405_2_00D2FE40
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DA804A5_2_00DA804A
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D2E0605_2_00D2E060
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D341405_2_00D34140
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D424055_2_00D42405
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D565225_2_00D56522
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D5267E5_2_00D5267E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DA06655_2_00DA0665
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D368435_2_00D36843
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D4283A5_2_00D4283A
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D589DF5_2_00D589DF
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DA0AE25_2_00DA0AE2
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D56A945_2_00D56A94
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D38A0E5_2_00D38A0E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D88B135_2_00D88B13
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D7EB075_2_00D7EB07
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D4CD615_2_00D4CD61
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D570065_2_00D57006
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D331905_2_00D33190
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D3710E5_2_00D3710E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D212875_2_00D21287
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D433C75_2_00D433C7
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D4F4195_2_00D4F419
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D416C45_2_00D416C4
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D356805_2_00D35680
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D478D35_2_00D478D3
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D358C05_2_00D358C0
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D41BB85_2_00D41BB8
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D59D055_2_00D59D05
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D41FD05_2_00D41FD0
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D4BFE65_2_00D4BFE6
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_0122B4A85_2_0122B4A8
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B3DBB57_2_00B3DBB5
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B1E0607_2_00B1E060
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B9804A7_2_00B9804A
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B241407_2_00B24140
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B324057_2_00B32405
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B465227_2_00B46522
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B4267E7_2_00B4267E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B906657_2_00B90665
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B3283A7_2_00B3283A
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B1E8007_2_00B1E800
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B268437_2_00B26843
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B489DF7_2_00B489DF
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B46A947_2_00B46A94
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B90AE27_2_00B90AE2
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B28A0E7_2_00B28A0E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B78B137_2_00B78B13
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B6EB077_2_00B6EB07
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B3CD617_2_00B3CD61
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B470067_2_00B47006
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B231907_2_00B23190
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B2710E7_2_00B2710E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B112877_2_00B11287
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B333C77_2_00B333C7
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B3F4197_2_00B3F419
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B256807_2_00B25680
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B316C47_2_00B316C4
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B378D37_2_00B378D3
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B258C07_2_00B258C0
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B31BB87_2_00B31BB8
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B49D057_2_00B49D05
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B1FE407_2_00B1FE40
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B3BFE67_2_00B3BFE6
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B31FD07_2_00B31FD0
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_0184BD787_2_0184BD78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9B3288_2_02C9B328
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9C1908_2_02C9C190
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C961088_2_02C96108
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9C7528_2_02C9C752
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9F7788_2_02C9F778
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9C4708_2_02C9C470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9E4318_2_02C9E431
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C94AD98_2_02C94AD9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9CA328_2_02C9CA32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9BBB88_2_02C9BBB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C968808_2_02C96880
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C998588_2_02C99858
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9BEB08_2_02C9BEB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9D7E08_2_02C9D7E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9D7F08_2_02C9D7F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C9B4F28_2_02C9B4F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C935728_2_02C93572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E0D608_2_054E0D60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EC4B88_2_054EC4B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E77A88_2_054E77A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E7E788_2_054E7E78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E32888_2_054E3288
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054ECD588_2_054ECD58
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E0D508_2_054E0D50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054ECD688_2_054ECD68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E6DF68_2_054E6DF6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EF4718_2_054EF471
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EBC088_2_054EBC08
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EF4808_2_054EF480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E04918_2_054E0491
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EC4A88_2_054EC4A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E04A08_2_054E04A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EE7688_2_054EE768
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EE7788_2_054EE778
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EAF008_2_054EAF00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EB7A08_2_054EB7A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EB7B08_2_054EB7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054ED6098_2_054ED609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E7E028_2_054E7E02
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E6E008_2_054E6E00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054ED6188_2_054ED618
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EDEC88_2_054EDEC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EAEEF8_2_054EAEEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EDEB88_2_054EDEB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EC9028_2_054EC902
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E09008_2_054E0900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EC9108_2_054EC910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054ED1C08_2_054ED1C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054ED1B08_2_054ED1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E00408_2_054E0040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EC0508_2_054EC050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EC0608_2_054EC060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E00068_2_054E0006
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EF0188_2_054EF018
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EF0288_2_054EF028
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EF8C98_2_054EF8C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EF8D88_2_054EF8D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E08F08_2_054E08F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EB3488_2_054EB348
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EB3588_2_054EB358
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EE3108_2_054EE310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EE3208_2_054EE320
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EEBC18_2_054EEBC1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EEBD08_2_054EEBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EBBF88_2_054EBBF8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EDA618_2_054EDA61
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E327E8_2_054E327E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054EDA708_2_054EDA70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E7EB28_2_068E7EB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EA6B08_2_068EA6B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EBFE88_2_068EBFE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E8D808_2_068E8D80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EAD008_2_068EAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E0D488_2_068E0D48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E9A188_2_068E9A18
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E93D08_2_068E93D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EB3508_2_068EB350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E78B88_2_068E78B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EA0608_2_068EA060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EB9A08_2_068EB9A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E61C88_2_068E61C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EA6A48_2_068EA6A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E47828_2_068E4782
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E47908_2_068E4790
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EBFD88_2_068EBFD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E6FF98_2_068E6FF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E7F008_2_068E7F00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E67488_2_068E6748
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E67588_2_068E6758
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E548A8_2_068E548A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E04888_2_068E0488
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E54988_2_068E5498
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E04988_2_068E0498
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EACF08_2_068EACF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E74508_2_068E7450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E74608_2_068E7460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E35A88_2_068E35A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E5D3A8_2_068E5D3A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E5D488_2_068E5D48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E8D6F8_2_068E8D6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E9A078_2_068E9A07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E6BA08_2_068E6BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E6BB08_2_068E6BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E93C08_2_068E93C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E4BD88_2_068E4BD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E4BE88_2_068E4BE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E43008_2_068E4300
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E43108_2_068E4310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EB3408_2_068EB340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E28A88_2_068E28A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E78A88_2_068E78A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E58E08_2_068E58E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E08E18_2_068E08E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E58F08_2_068E58F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E08F08_2_068E08F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E70088_2_068E7008
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E00068_2_068E0006
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E50328_2_068E5032
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E00408_2_068E0040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E50408_2_068E5040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EA0508_2_068EA050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EB99B8_2_068EB99B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068E61B88_2_068E61B8
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B1E80011_2_00B1E800
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B3DBB511_2_00B3DBB5
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B1FE4011_2_00B1FE40
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B1E06011_2_00B1E060
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9804A11_2_00B9804A
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B2414011_2_00B24140
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B3240511_2_00B32405
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B4652211_2_00B46522
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B4267E11_2_00B4267E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B9066511_2_00B90665
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B3283A11_2_00B3283A
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B2684311_2_00B26843
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B489DF11_2_00B489DF
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B46A9411_2_00B46A94
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B90AE211_2_00B90AE2
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B28A0E11_2_00B28A0E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B78B1311_2_00B78B13
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B6EB0711_2_00B6EB07
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B3CD6111_2_00B3CD61
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B4700611_2_00B47006
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B2319011_2_00B23190
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B2710E11_2_00B2710E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B1128711_2_00B11287
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B333C711_2_00B333C7
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B3F41911_2_00B3F419
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B2568011_2_00B25680
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B316C411_2_00B316C4
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B378D311_2_00B378D3
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B258C011_2_00B258C0
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B31BB811_2_00B31BB8
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B49D0511_2_00B49D05
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B3BFE611_2_00B3BFE6
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B31FD011_2_00B31FD0
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_016BD53011_2_016BD530
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: String function: 00D48B40 appears 42 times
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: String function: 00D27F41 appears 35 times
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: String function: 00D40D27 appears 70 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B39FB5 appears 46 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B11D35 appears 38 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B33A0B appears 38 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B38B40 appears 84 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B17F41 appears 70 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B19A20 appears 46 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B41B90 appears 58 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B15A64 appears 50 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B30D27 appears 140 times
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: String function: 00B3313D appears 42 times
          Source: prgNb8YFEA.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: Process Memory Space: brontothere.exe PID: 2892, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: brontothere.exe PID: 2892, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: Process Memory Space: RegSvcs.exe PID: 6952, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 6952, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: Process Memory Space: brontothere.exe PID: 6448, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: brontothere.exe PID: 6448, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8A2D5 GetLastError,FormatMessageW,5_2_00D8A2D5
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D78713 AdjustTokenPrivileges,CloseHandle,5_2_00D78713
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D78CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_00D78CC3
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B68713 AdjustTokenPrivileges,CloseHandle,7_2_00B68713
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B68CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,7_2_00B68CC3
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B68713 AdjustTokenPrivileges,CloseHandle,11_2_00B68713
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B68CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00B68CC3
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_00D8B59E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D9F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00D9F121
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D986D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,5_2_00D986D0
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D24FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_00D24FE9
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeFile created: C:\Users\user\AppData\Local\MilburrJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeFile created: C:\Users\user~1\AppData\Local\Temp\autBACB.tmpJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs"
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: RegSvcs.exe, 00000008.00000002.3754613774.00000000030A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.000000000309B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000003074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000003056000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000003066000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3756941917.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000028A3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3756660371.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000028C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: prgNb8YFEA.exeVirustotal: Detection: 73%
          Source: prgNb8YFEA.exeReversingLabs: Detection: 60%
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeFile read: C:\Users\user\Desktop\prgNb8YFEA.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\prgNb8YFEA.exe "C:\Users\user\Desktop\prgNb8YFEA.exe"
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeProcess created: C:\Users\user\AppData\Local\Milburr\brontothere.exe "C:\Users\user\Desktop\prgNb8YFEA.exe"
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\prgNb8YFEA.exe"
          Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Milburr\brontothere.exe "C:\Users\user\AppData\Local\Milburr\brontothere.exe"
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Milburr\brontothere.exe"
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeProcess created: C:\Users\user\AppData\Local\Milburr\brontothere.exe "C:\Users\user\Desktop\prgNb8YFEA.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\prgNb8YFEA.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Milburr\brontothere.exe "C:\Users\user\AppData\Local\Milburr\brontothere.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Milburr\brontothere.exe" Jump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Binary string: wntdll.pdbUGP source: brontothere.exe, 00000007.00000003.1306310184.0000000004700000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 00000007.00000003.1295020976.0000000004560000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 0000000B.00000003.1421324631.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 0000000B.00000003.1418348752.0000000003E00000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: brontothere.exe, 00000007.00000003.1306310184.0000000004700000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 00000007.00000003.1295020976.0000000004560000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 0000000B.00000003.1421324631.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, brontothere.exe, 0000000B.00000003.1418348752.0000000003E00000.00000004.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00E37080 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,5_2_00E37080
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D48B85 push ecx; ret 5_2_00D48B98
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B38B85 push ecx; ret 7_2_00B38B98
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_0184CF19 push es; iretd 7_2_0184CF1A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E2EFA pushad ; iretd 8_2_054E2F01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E2890 push eax; retf 8_2_054E2891
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EDA21 push esp; iretd 8_2_068EDA35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_068EDA36 push esp; iretd 8_2_068EDA39
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B38B85 push ecx; ret 11_2_00B38B98
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_016BDB41 push es; iretd 11_2_016BDB42
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_016B9DA4 push ebp; ret 11_2_016B9EB9
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeFile created: C:\Users\user\AppData\Local\Milburr\brontothere.exeJump to dropped file

          Boot Survival

          barindex
          Drops VBS files to the startup folder
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbsJump to dropped file
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbsJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbsJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00D24A35
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00DA55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_00DA55FD
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,7_2_00B14A35
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,7_2_00B955FD
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_00B14A35
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_00B955FD
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D433C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00D433C7
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeAPI/Special instruction interceptor: Address: 184B99C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeAPI/Special instruction interceptor: Address: 16BD154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599728Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598825Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598690Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598576Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598329Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598079Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597954Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597829Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597719Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597500Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597389Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597281Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597060Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596844Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596102Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595938Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595778Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595492Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595319Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595182Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594982Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593795Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593664Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593562Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593453Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593344Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593235Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593110Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592983Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592875Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592657Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592532Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592407Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592168Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598891Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598641Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598422Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598308Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597981Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597875Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597406Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597297Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595827Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595578Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595466Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594995Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594250Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594124Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593797Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593687Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593578Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593458Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593328Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3395Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6407Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2762Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7063Jump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-100435
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeAPI coverage: 4.4 %
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeAPI coverage: 4.6 %
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeAPI coverage: 4.5 %
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D84696 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00D84696
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00D8C9C7
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8C93C FindFirstFileW,FindClose,5_2_00D8C93C
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00D8F200
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00D8F35D
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00D8F65E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00D83A2B
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00D83D4E
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00D8BF27
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B74696 GetFileAttributesW,FindFirstFileW,FindClose,7_2_00B74696
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,7_2_00B7C9C7
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7C93C FindFirstFileW,FindClose,7_2_00B7C93C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_00B7F200
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_00B7F35D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_00B7F65E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00B73A2B
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00B73D4E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_00B7BF27
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B74696 GetFileAttributesW,FindFirstFileW,FindClose,11_2_00B74696
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00B7C9C7
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7C93C FindFirstFileW,FindClose,11_2_00B7C93C
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00B7F200
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00B7F35D
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00B7F65E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00B73A2B
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00B73D4E
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00B7BF27
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00D24AFE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599728Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598825Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598690Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598576Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598329Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598079Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597954Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597829Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597719Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597500Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597389Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597281Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597060Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596844Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596102Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595938Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595778Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595492Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595319Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595182Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594982Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593795Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593664Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593562Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593453Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593344Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593235Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593110Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592983Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592875Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592657Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592532Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592407Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592168Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598891Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598641Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598422Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598308Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597981Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597875Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597406Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597297Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595827Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595578Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595466Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594995Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594250Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594124Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593797Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593687Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593578Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593458Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593328Jump to behavior
          Source: RegSvcs.exe, 00000008.00000002.3753105579.0000000001037000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
          Source: RegSvcs.exe, 0000000C.00000002.3753150890.0000000000A07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeAPI call chain: ExitProcess graph end nodegraph_5-98909
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeAPI call chain: ExitProcess graph end nodegraph_5-99143
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_054E77A8 LdrInitializeThunk,8_2_054E77A8
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D941FD BlockInput,5_2_00D941FD
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00D23B4C
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D55CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,5_2_00D55CCC
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00E37080 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,5_2_00E37080
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_0122B338 mov eax, dword ptr fs:[00000030h]5_2_0122B338
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_0122B398 mov eax, dword ptr fs:[00000030h]5_2_0122B398
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_01229CD8 mov eax, dword ptr fs:[00000030h]5_2_01229CD8
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_0184A5A8 mov eax, dword ptr fs:[00000030h]7_2_0184A5A8
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_0184BC08 mov eax, dword ptr fs:[00000030h]7_2_0184BC08
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_0184BC68 mov eax, dword ptr fs:[00000030h]7_2_0184BC68
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_016BD3C0 mov eax, dword ptr fs:[00000030h]11_2_016BD3C0
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_016BD420 mov eax, dword ptr fs:[00000030h]11_2_016BD420
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_016BBD60 mov eax, dword ptr fs:[00000030h]11_2_016BBD60
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00D781F7
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D4A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00D4A395
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D4A364 SetUnhandledExceptionFilter,5_2_00D4A364
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B3A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00B3A395
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B3A364 SetUnhandledExceptionFilter,7_2_00B3A364
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B3A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00B3A395
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B3A364 SetUnhandledExceptionFilter,11_2_00B3A364
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DE7008Jump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C008Jump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D78C93 LogonUserW,5_2_00D78C93
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00D23B4C
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00D24A35
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D84EC9 mouse_event,5_2_00D84EC9
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\prgNb8YFEA.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Milburr\brontothere.exe "C:\Users\user\AppData\Local\Milburr\brontothere.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Milburr\brontothere.exe" Jump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00D781F7
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D84C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_00D84C03
          Source: prgNb8YFEA.exe, 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmp, brontothere.exe, 00000007.00000002.1308456068.0000000000BC5000.00000040.00000001.01000000.00000005.sdmp, brontothere.exe, 0000000B.00000002.1424429262.0000000000BC5000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: brontothere.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D4886B cpuid 5_2_00D4886B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D550D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00D550D7
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D62230 GetUserNameW,5_2_00D62230
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D5418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_00D5418A
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00D24AFE
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.3754528656.000000000283B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3754528656.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3754613774.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3754613774.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: brontothere.exe PID: 2892, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6952, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: brontothere.exe PID: 6448, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6480, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: brontothere.exeBinary or memory string: WIN_81
          Source: brontothere.exeBinary or memory string: WIN_XP
          Source: brontothere.exeBinary or memory string: WIN_XPe
          Source: brontothere.exeBinary or memory string: WIN_VISTA
          Source: brontothere.exeBinary or memory string: WIN_7
          Source: brontothere.exeBinary or memory string: WIN_8
          Source: brontothere.exe, 0000000B.00000002.1424429262.0000000000BC5000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 11.2.brontothere.exe.14c0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.brontothere.exe.2860000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.brontothere.exe.14c0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.brontothere.exe.2860000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.3754528656.000000000283B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.3754528656.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3754613774.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3754613774.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: brontothere.exe PID: 2892, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6952, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: brontothere.exe PID: 6448, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6480, type: MEMORYSTR
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D96596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00D96596
          Source: C:\Users\user\Desktop\prgNb8YFEA.exeCode function: 5_2_00D96A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00D96A5A
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B86596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,7_2_00B86596
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 7_2_00B86A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,7_2_00B86A5A
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B86596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_00B86596
          Source: C:\Users\user\AppData\Local\Milburr\brontothere.exeCode function: 11_2_00B86A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00B86A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		2
          Valid Accounts          		2
          Native API          		111
          Scripting          		1
          Exploitation for Privilege Escalation          		11
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		21
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Data from Local System          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt2
          Valid Accounts          		2
          Valid Accounts          		31
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares1
          Email Collection          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCron2
          Registry Run Keys / Startup Folder          		21
          Access Token Manipulation          		1
          Software Packing          		NTDS127
          System Information Discovery          		Distributed Component Object Model21
          Input Capture          		13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
          Process Injection          		1
          DLL Side-Loading          		LSA Secrets231
          Security Software Discovery          		SSH3
          Clipboard Data          		Fallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
          Registry Run Keys / Startup Folder          		1
          Masquerading          		Cached Domain Credentials11
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Valid Accounts          		DCSync2
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
          Virtualization/Sandbox Evasion          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
          Access Token Manipulation          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
          Process Injection          		Network Sniffing1
          System Network Configuration Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588806 Sample: prgNb8YFEA.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 checkip.dyndns.org 2->32 34 checkip.dyndns.com 2->34 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 48 7 other signatures 2->48 8 prgNb8YFEA.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 46 Tries to detect the country of the analysis system (by using the IP) 30->46 process4 file5 26 C:\Users\user\AppData\...\brontothere.exe, PE32 8->26 dropped 54 Binary is likely a compiled AutoIt script file 8->54 14 brontothere.exe 2 8->14         started        56 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->56 18 brontothere.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\brontothere.vbs, data 14->28 dropped 58 Multi AV Scanner detection for dropped file 14->58 60 Binary is likely a compiled AutoIt script file 14->60 62 Machine Learning detection for dropped file 14->62 68 2 other signatures 14->68 20 RegSvcs.exe 15 2 14->20         started        64 Writes to foreign memory regions 18->64 66 Maps a DLL or memory area into another process 18->66 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 checkip.dyndns.com 193.122.6.168, 49701, 49704, 49707 ORACLE-BMC-31898US United States 20->36 38 reallyfreegeoip.org 104.21.112.1, 443, 49702, 49703 CLOUDFLARENETUS United States 20->38 50 Tries to steal Mail credentials (via file / registry access) 24->50 52 Tries to harvest and steal browser information (history, passwords, etc) 24->52 signatures12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          prgNb8YFEA.exe73%VirustotalBrowse
          prgNb8YFEA.exe61%ReversingLabsWin32.Spyware.Snakekeylogger
          prgNb8YFEA.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Milburr\brontothere.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Milburr\brontothere.exe61%ReversingLabsWin32.Spyware.Snakekeylogger
          C:\Users\user\AppData\Local\Milburr\brontothere.exe73%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          reallyfreegeoip.org
          		104.21.112.1
          		truefalse
            		high
            checkip.dyndns.com
            		193.122.6.168
            		truefalse
              		high
              checkip.dyndns.org
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://checkip.dyndns.org/false
                  		high
                  https://reallyfreegeoip.org/xml/8.46.123.189false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://reallyfreegeoip.orgRegSvcs.exe, 00000008.00000002.3754613774.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002735000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002778000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://reallyfreegeoip.org/xml/8.46.123.1898RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://checkip.dyndns.orgRegSvcs.exe, 00000008.00000002.3754613774.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002729000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002735000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002778000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://checkip.dyndns.comRegSvcs.exe, 00000008.00000002.3754613774.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002735000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000008.00000002.3754613774.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002671000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.org/qbrontothere.exe, 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, brontothere.exe, 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002778000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgRegSvcs.exe, 00000008.00000002.3754613774.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F7B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000282D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000274D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.00000000027D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.000000000281F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/brontothere.exe, 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3754613774.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, brontothere.exe, 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3754528656.0000000002735000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      104.21.112.1
                                      		reallyfreegeoip.orgUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      193.122.6.168
                                      		checkip.dyndns.comUnited States
                                      		31898ORACLE-BMC-31898USfalse

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1588806
                                      Start date and time:2025-01-11 05:43:11 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 10m 24s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:21
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:prgNb8YFEA.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:e248994d1154ecc091a72040543631f6faf42e980b524193b6ea207262a374a7.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 56
                                      • Number of non-executed functions: 276
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      05:44:10AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs
                                      23:44:12API Interceptor12109043x Sleep call for process: RegSvcs.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      104.21.112.1BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                      • www.kkpmoneysocial.top/86am/
                                      9MZZG92yMO.exeGet hashmaliciousFormBookBrowse
                                      • www.buyspeechst.shop/qzi3/
                                      QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                      • www.buyspeechst.shop/w98i/
                                      wxl1r0lntg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
                                      SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                      • beammp.com/phpmyadmin/
                                      193.122.6.168fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                      • checkip.dyndns.org/
                                      czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • checkip.dyndns.org/
                                      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      xXUnP7uCBJ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • checkip.dyndns.org/
                                      ajRZflJ2ch.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • checkip.dyndns.org/
                                      hZbkP3TJBJ.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      checkip.dyndns.comrlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                      • 132.226.247.73
                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                      • 158.101.44.242
                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                      • 193.122.130.0
                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                      • 132.226.247.73
                                      MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.8.169
                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.8.169
                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.6.168
                                      4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 132.226.8.169
                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 193.122.130.0
                                      reallyfreegeoip.orgrlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.48.1
                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.80.1
                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.48.1
                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.16.1
                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.48.1
                                      MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.64.1
                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.48.1
                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.48.1
                                      4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 104.21.80.1
                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.80.1

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ORACLE-BMC-31898USprlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                      • 158.101.44.242
                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                      • 193.122.130.0
                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.6.168
                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 193.122.130.0
                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • 158.101.44.242
                                      rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.130.0
                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 193.122.130.0
                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 193.122.6.168
                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 193.122.6.168
                                      VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.130.0
                                      CLOUDFLARENETUSwSoShbuXnJ.exeGet hashmaliciousFormBookBrowse
                                      • 104.21.86.111
                                      1507513743282749438.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 162.159.61.3
                                      rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.48.1
                                      C6Abn5cBei.exeGet hashmaliciousFormBookBrowse
                                      • 172.67.145.234
                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.80.1
                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.48.1
                                      ZcshRk2lgh.exeGet hashmaliciousFormBookBrowse
                                      • 104.21.15.100
                                      ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                      • 104.21.48.1
                                      leUmNO9XPu.exeGet hashmaliciousHawkEye, MailPassViewBrowse
                                      • 104.19.223.79
                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.16.1

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      54328bd36c14bd82ddaa0c04b25ed9adrlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.112.1
                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.112.1
                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.112.1
                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.112.1
                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.112.1
                                      MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.112.1
                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.112.1
                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.112.1
                                      4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 104.21.112.1
                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.112.1

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Milburr\brontothere.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\prgNb8YFEA.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:modified
                                      Size (bytes):609280
                                      Entropy (8bit):7.586046761793758
                                      Encrypted:false
                                      SSDEEP:12288:oYV6MorX7qzuC3QHO9FQVHPF51jgc7nbUwhIZLBZE:HBXu9HGaVH7nbUwGfE
                                      MD5:5314DC731381DE014B294374B0EB7666
                                      SHA1:9E3577F1495FDBB76115231A8A6680DB0BED3632
                                      SHA-256:E248994D1154ECC091A72040543631F6FAF42E980B524193B6EA207262A374A7
                                      SHA-512:0EB21211A73870D1D9681CD236BCB6EDFE5E2049477FC4773C8F7E3F9868352DAC55BD95DF8B3547BDAD060AE2EE05B8E8A7280B904F273DEFF0C2881B431F44
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 61%
                                      • Antivirus: Virustotal, Detection: 73%, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L.....jg.........."......p...........p............@..........................p............@...@.......@......................]..$............................b......................................dr..H...........................................UPX0....................................UPX1.....p.......d..................@....rsrc................h..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                      C:\Users\user\AppData\Local\Temp\autBACB.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\prgNb8YFEA.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):87750
                                      Entropy (8bit):7.904845056128631
                                      Encrypted:false
                                      SSDEEP:1536:QI8LaSvhGSW7QlGOn4xlomSt9lVynGSTUAJ/kEFCuDJg0DHCvrVmXA:pSvhGz71On+lomafUGSTNJfPW0mvYA
                                      MD5:080F0A7871A4B2664AE741D4AA16D99C
                                      SHA1:BB6008B3B45BCA6DD65DD22A76F2DB85AB12F06B
                                      SHA-256:94B2EF3D6075BB2D32D96F0FD6F844D9F6A171757025569D5C9B7B49BF200086
                                      SHA-512:7576F61F3EF4017125B78A652EB16FF582DF3740B16373AFBD85BE41E04DA97EA6954F78F568FFC9E9A2565A29A90722063B8946FEDCF04CCD7138CA9AC10A86
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06........Y.6gH.Uf4...m4.....$.sM..)..E.s6.N@..3...6`.D........g.E..-.y..M..M*..5bE..Ikuy...,.Dg.:.Z.W..#.x.REW..+..5..#1K.....j...F.....6cI..,4.7No4....1...*..`.......I.... U.4...Fh..Z.Q'3i..F't.6.U..(..FQQ.I@.1!...&.1.A@6...i...u|..4.j.....~.Y.6v.%..5...v/;..f....CO...zqO.T..>..>q1.Q.S.......~f..Hhf@....q...s....9..ZfsO.H5s../..P..Z|~....J....i........s5.$55.$.#V.R>.....e.r...%......wL.U...MN......).@."(.HV.....AG.$&..........P.B..HW.....!F.$$....U.....r1O.V....#H.W.4.4.eG....I..7....7.u6.Og.......q.h.2.3.Lg4...=5.l..uVU#..f...3.D.Mg5h..W.....'i.T.R..6gS.].4.4.. ..U......?..x.!...;...... .(.i......z..a~....@.-W..."...w..)...q,.Z,..../...Z.......jo........I9.W...EJW...f..p..n....|J.D..@..d...D#.z|..G.Nh.:U6Q..Q..I....D.....1.[.@..uy...6*..V#.y.P.......}2...4..N.H..-5.d..X.l..}FA9..@.....J.S....P...V%.0."9...%.......2...`...$.p...s...J...........'T...cb...$...i;:|.n......5L.F.z'.......JuVkg.D.i..iQ.Lbv.....[g1..E.Q&..<V.5...).z6. r

                                      C:\Users\user\AppData\Local\Temp\autBE75.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Milburr\brontothere.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):87750
                                      Entropy (8bit):7.904845056128631
                                      Encrypted:false
                                      SSDEEP:1536:QI8LaSvhGSW7QlGOn4xlomSt9lVynGSTUAJ/kEFCuDJg0DHCvrVmXA:pSvhGz71On+lomafUGSTNJfPW0mvYA
                                      MD5:080F0A7871A4B2664AE741D4AA16D99C
                                      SHA1:BB6008B3B45BCA6DD65DD22A76F2DB85AB12F06B
                                      SHA-256:94B2EF3D6075BB2D32D96F0FD6F844D9F6A171757025569D5C9B7B49BF200086
                                      SHA-512:7576F61F3EF4017125B78A652EB16FF582DF3740B16373AFBD85BE41E04DA97EA6954F78F568FFC9E9A2565A29A90722063B8946FEDCF04CCD7138CA9AC10A86
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06........Y.6gH.Uf4...m4.....$.sM..)..E.s6.N@..3...6`.D........g.E..-.y..M..M*..5bE..Ikuy...,.Dg.:.Z.W..#.x.REW..+..5..#1K.....j...F.....6cI..,4.7No4....1...*..`.......I.... U.4...Fh..Z.Q'3i..F't.6.U..(..FQQ.I@.1!...&.1.A@6...i...u|..4.j.....~.Y.6v.%..5...v/;..f....CO...zqO.T..>..>q1.Q.S.......~f..Hhf@....q...s....9..ZfsO.H5s../..P..Z|~....J....i........s5.$55.$.#V.R>.....e.r...%......wL.U...MN......).@."(.HV.....AG.$&..........P.B..HW.....!F.$$....U.....r1O.V....#H.W.4.4.eG....I..7....7.u6.Og.......q.h.2.3.Lg4...=5.l..uVU#..f...3.D.Mg5h..W.....'i.T.R..6gS.].4.4.. ..U......?..x.!...;...... .(.i......z..a~....@.-W..."...w..)...q,.Z,..../...Z.......jo........I9.W...EJW...f..p..n....|J.D..@..d...D#.z|..G.Nh.:U6Q..Q..I....D.....1.[.@..uy...6*..V#.y.P.......}2...4..N.H..-5.d..X.l..}FA9..@.....J.S....P...V%.0."9...%.......2...`...$.p...s...J...........'T...cb...$...i;:|.n......5L.F.z'.......JuVkg.D.i..iQ.Lbv.....[g1..E.Q&..<V.5...).z6. r

                                      C:\Users\user\AppData\Local\Temp\autEC6A.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Milburr\brontothere.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):87750
                                      Entropy (8bit):7.904845056128631
                                      Encrypted:false
                                      SSDEEP:1536:QI8LaSvhGSW7QlGOn4xlomSt9lVynGSTUAJ/kEFCuDJg0DHCvrVmXA:pSvhGz71On+lomafUGSTNJfPW0mvYA
                                      MD5:080F0A7871A4B2664AE741D4AA16D99C
                                      SHA1:BB6008B3B45BCA6DD65DD22A76F2DB85AB12F06B
                                      SHA-256:94B2EF3D6075BB2D32D96F0FD6F844D9F6A171757025569D5C9B7B49BF200086
                                      SHA-512:7576F61F3EF4017125B78A652EB16FF582DF3740B16373AFBD85BE41E04DA97EA6954F78F568FFC9E9A2565A29A90722063B8946FEDCF04CCD7138CA9AC10A86
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06........Y.6gH.Uf4...m4.....$.sM..)..E.s6.N@..3...6`.D........g.E..-.y..M..M*..5bE..Ikuy...,.Dg.:.Z.W..#.x.REW..+..5..#1K.....j...F.....6cI..,4.7No4....1...*..`.......I.... U.4...Fh..Z.Q'3i..F't.6.U..(..FQQ.I@.1!...&.1.A@6...i...u|..4.j.....~.Y.6v.%..5...v/;..f....CO...zqO.T..>..>q1.Q.S.......~f..Hhf@....q...s....9..ZfsO.H5s../..P..Z|~....J....i........s5.$55.$.#V.R>.....e.r...%......wL.U...MN......).@."(.HV.....AG.$&..........P.B..HW.....!F.$$....U.....r1O.V....#H.W.4.4.eG....I..7....7.u6.Og.......q.h.2.3.Lg4...=5.l..uVU#..f...3.D.Mg5h..W.....'i.T.R..6gS.].4.4.. ..U......?..x.!...;...... .(.i......z..a~....@.-W..."...w..)...q,.Z,..../...Z.......jo........I9.W...EJW...f..p..n....|J.D..@..d...D#.z|..G.Nh.:U6Q..Q..I....D.....1.[.@..uy...6*..V#.y.P.......}2...4..N.H..-5.d..X.l..}FA9..@.....J.S....P...V%.0."9...%.......2...`...$.p...s...J...........'T...cb...$...i;:|.n......5L.F.z'.......JuVkg.D.i..iQ.Lbv.....[g1..E.Q&..<V.5...).z6. r

                                      C:\Users\user\AppData\Local\Temp\nonplacental

                                      Download File
                                      Process:C:\Users\user\Desktop\prgNb8YFEA.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):131072
                                      Entropy (8bit):6.998701347678074
                                      Encrypted:false
                                      SSDEEP:3072:uWsp4sHRAyqrjGwVtZOtaJ5YyYage3Vjd3KCAPdtvCin:UpVHivmwLJ5t9KNn
                                      MD5:CDD378F43140DDD4B4487EE7459D98D7
                                      SHA1:8EEF98A4C9DE80E461125304D25F62D7CF27B777
                                      SHA-256:A5D1AA75FD07BFEC093BA72CEC8BE5A1F5537774A3BCC96D06426F56B5554EFE
                                      SHA-512:9A18EE8BC2C6E07F72EDEB236C9EC57812F63D4131B8841871627C7855A91FDC2A99E475A4BB663CA9057771C77EFC914BA4DB32AFC2CF13F38F0BBB0F979D56
                                      Malicious:false
                                      Reputation:low
                                      Preview:u..5:M3HJU1L..64.O8QD59MsHNU1LF9649O8QD59M3HNU1LF9649O8QD59M.HNU?S.76.0...Ey.lg '&.<4VQFX".2%[W"Gh,0.>3W.]Wo|...T"W-`X<Fb9649O8Q.p9M.IMU.a._649O8QD5.M1IETaLF.749[8QD59M.ALU1lF96.;O8Q.59m3HNW1LB9649O8Q@59M3HNU1,D9669O8QD5;Ms.NU!LF)649O(QD%9M3HNU!LF9649O8QD5ID1H.U1LF.44._8QD59M3HNU1LF9649O8.F55M3HNU1LF9649O8QD59M3HNU1LF9649O8QD59M3HNU1LF9649O8QD.9M;HNU1LF9649O0qD5qM3HNU1LF964.;])059M..OU1lF96.8O8SD59M3HNU1LF964.O81jGJ?PHNU.\F96.;O8CD59.2HNU1LF9649O8Q.59..:+9^/F9:49O8.F59O3HN.0LF9649O8QD59MsHN.1LF9649O8QD59M3H.\3LF964qO8QF5<M.SOU..F9549O.QD3.V2H.U1LF9649O8QD59M3HNU1LF9649O8QD59M3HNU1LF964.2.^..$@.U1LF965;L<WL=9M3HNU1L8964.O8Q.59M.HNU.LF9[49O.QD5GM3H0U1L"964KO8Q%59MtHNU^LF9X49OFQD5'O.hNU;f`94..O8[D..>.HN_.MF92G.O8[.79M7;jU1F.:64=<.QD?.I3HJ&.LF3.19O<{.5:.%NNU*#.96>9L.DB59V.nNW.vF9<4.i8R. ?M3Sdw1N.064=en"Y59K..NU;8O966.E8Q@.'O..NU;fdG&49K.Qn.G\3HJ~1fdG$49K.Qn.G^3HJ~1fdG"49K.Qn+;.'HNQ.n8,64=d8{fK/M3LeU.n8.64=d8{Z7.Z3HJ.7f$9D^%OHR+.9M5`.U1FnY64?O.kDK.M3LL:.LF3..gO:yG49G3JM(.LF=40Dx8Q@.oM13wU

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Milburr\brontothere.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):286
                                      Entropy (8bit):3.4247564872866394
                                      Encrypted:false
                                      SSDEEP:6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1olFe3CnDdnriIM8lfQVn:DsO+vNlMkXg1Q1olE3AmA2n
                                      MD5:724591EB75B9AC723085FFDCA4749631
                                      SHA1:2C143E8A219D5B916760B5BA7540F81E32D56A5E
                                      SHA-256:10AA83853CAEC24F1B4B51495B37C33DA7E918A07AE1AA213FC3DE2877DE853A
                                      SHA-512:3CE7F7690C533893C4533BBE68B9B3B263C98B36218FF01BDE7AD36D6F3A117B09BFF15CC0FE94F42F8FACAA816BB78E718C6A75A209C68A5D6E032E45AAD20D
                                      Malicious:true
                                      Reputation:low
                                      Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.l.b.u.r.r.\.b.r.o.n.t.o.t.h.e.r.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Entropy (8bit):7.586046761793758
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.39%
                                      • UPX compressed Win32 Executable (30571/9) 0.30%
                                      • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      File name:prgNb8YFEA.exe
                                      File size:609'280 bytes
                                      MD5:5314dc731381de014b294374b0eb7666
                                      SHA1:9e3577f1495fdbb76115231a8a6680db0bed3632
                                      SHA256:e248994d1154ecc091a72040543631f6faf42e980b524193b6ea207262a374a7
                                      SHA512:0eb21211a73870d1d9681cd236bcb6edfe5e2049477fc4773c8f7e3f9868352dac55bd95df8b3547bdad060ae2ee05b8e8a7280b904f273deff0c2881b431f44
                                      SSDEEP:12288:oYV6MorX7qzuC3QHO9FQVHPF51jgc7nbUwhIZLBZE:HBXu9HGaVH7nbUwGfE
                                      TLSH:90D401877680556BC425FEB784371D20E397AD99A5B87206298F7D24A3B76E3303318F
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                      File Icon

                                      Icon Hash:0d2d0d1723293133

                                      Static PE Info

                                      General

                                      Entrypoint:0x517080
                                      Entrypoint Section:UPX1
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x676A9DB0 [Tue Dec 24 11:40:32 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:fc6683d30d9f25244a50fd5357825e79

                                      Entrypoint Preview

                                      Instruction
                                      pushad
                                      mov esi, 004C1000h
                                      lea edi, dword ptr [esi-000C0000h]
                                      push edi
                                      jmp 00007F47ACE6CAFDh
                                      nop
                                      mov al, byte ptr [esi]
                                      inc esi
                                      mov byte ptr [edi], al
                                      inc edi
                                      add ebx, ebx
                                      jne 00007F47ACE6CAF9h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jc 00007F47ACE6CADFh
                                      mov eax, 00000001h
                                      add ebx, ebx
                                      jne 00007F47ACE6CAF9h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      adc eax, eax
                                      add ebx, ebx
                                      jnc 00007F47ACE6CAFDh
                                      jne 00007F47ACE6CB1Ah
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jc 00007F47ACE6CB11h
                                      dec eax
                                      add ebx, ebx
                                      jne 00007F47ACE6CAF9h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      adc eax, eax
                                      jmp 00007F47ACE6CAC6h
                                      add ebx, ebx
                                      jne 00007F47ACE6CAF9h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      adc ecx, ecx
                                      jmp 00007F47ACE6CB44h
                                      xor ecx, ecx
                                      sub eax, 03h
                                      jc 00007F47ACE6CB03h
                                      shl eax, 08h
                                      mov al, byte ptr [esi]
                                      inc esi
                                      xor eax, FFFFFFFFh
                                      je 00007F47ACE6CB67h
                                      sar eax, 1
                                      mov ebp, eax
                                      jmp 00007F47ACE6CAFDh
                                      add ebx, ebx
                                      jne 00007F47ACE6CAF9h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jc 00007F47ACE6CABEh
                                      inc ecx
                                      add ebx, ebx
                                      jne 00007F47ACE6CAF9h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jc 00007F47ACE6CAB0h
                                      add ebx, ebx
                                      jne 00007F47ACE6CAF9h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      adc ecx, ecx
                                      add ebx, ebx
                                      jnc 00007F47ACE6CAE1h
                                      jne 00007F47ACE6CAFBh
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jnc 00007F47ACE6CAD6h
                                      add ecx, 02h
                                      cmp ebp, FFFFFB00h
                                      adc ecx, 02h
                                      lea edx, dword ptr [edi+ebp]
                                      cmp ebp, FFFFFFFCh
                                      jbe 00007F47ACE6CB00h
                                      mov al, byte ptr [edx]

                                      Rich Headers

                                      Programming Language:
                                      • [ASM] VS2013 build 21005
                                      • [ C ] VS2013 build 21005
                                      • [C++] VS2013 build 21005
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [ASM] VS2013 UPD5 build 40629
                                      • [RES] VS2013 build 21005
                                      • [LNK] VS2013 UPD5 build 40629

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x155dec0x424.rsrc
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1180000x3ddec.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1562100xc.rsrc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1172640x48UPX1
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      UPX00x10000xc00000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      UPX10xc10000x570000x56400257d01144382bba87ae8e16daa6f23b4False0.9873018568840579data7.935347181695601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x1180000x3f0000x3e4000ee25dbab1e18e2c7cb8f7d79f892599False0.6623329254518072data6.716918087091885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x11851c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                      RT_ICON0x1186480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                      RT_ICON0x1187740x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                      RT_ICON0x1188a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishGreat Britain0.45567375886524825
                                      RT_ICON0x118d0c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishGreat Britain0.299953095684803
                                      RT_ICON0x119db80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishGreat Britain0.2274896265560166
                                      RT_ICON0x11c3640x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishGreat Britain0.18865139348134152
                                      RT_ICON0x1205900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishGreat Britain0.13214243463858985
                                      RT_MENU0xe0d980x50dataEnglishGreat Britain1.1375
                                      RT_STRING0xe0de80x594dataEnglishGreat Britain1.007703081232493
                                      RT_STRING0xe137c0x68adataEnglishGreat Britain1.0065710872162486
                                      RT_STRING0xe1a080x490dataEnglishGreat Britain1.009417808219178
                                      RT_STRING0xe1e980x5fcdataEnglishGreat Britain1.0071801566579635
                                      RT_STRING0xe24940x65cdataEnglishGreat Britain1.0067567567567568
                                      RT_STRING0xe2af00x466dataEnglishGreat Britain1.0097690941385435
                                      RT_STRING0xe2f580x158dataEnglishGreat Britain1.0319767441860466
                                      RT_RCDATA0x130dbc0x24ac3data1.0003728089154589
                                      RT_GROUP_ICON0x1558840x4cdataEnglishGreat Britain0.8157894736842105
                                      RT_GROUP_ICON0x1558d40x14dataEnglishGreat Britain1.25
                                      RT_GROUP_ICON0x1558ec0x14dataEnglishGreat Britain1.15
                                      RT_GROUP_ICON0x1559040x14dataEnglishGreat Britain1.25
                                      RT_VERSION0x15591c0xdcdataEnglishGreat Britain0.6181818181818182
                                      RT_MANIFEST0x1559fc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                      Imports

                                      DLLImport
                                      KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                      ADVAPI32.dllGetAce
                                      COMCTL32.dllImageList_Remove
                                      COMDLG32.dllGetOpenFileNameW
                                      GDI32.dllLineTo
                                      IPHLPAPI.DLLIcmpSendEcho
                                      MPR.dllWNetUseConnectionW
                                      ole32.dllCoGetObject
                                      OLEAUT32.dllVariantInit
                                      PSAPI.DLLGetProcessMemoryInfo
                                      SHELL32.dllDragFinish
                                      USER32.dllGetDC
                                      USERENV.dllLoadUserProfileW
                                      UxTheme.dllIsThemeActive
                                      VERSION.dllVerQueryValueW
                                      WININET.dllFtpOpenFileW
                                      WINMM.dlltimeGetTime
                                      WSOCK32.dllconnect

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishGreat Britain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-01-11T05:44:12.839145+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749701193.122.6.16880TCP
                                      2025-01-11T05:44:13.792316+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749701193.122.6.16880TCP
                                      2025-01-11T05:44:14.428651+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749703104.21.112.1443TCP
                                      2025-01-11T05:44:15.432902+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749704193.122.6.16880TCP
                                      2025-01-11T05:44:16.698738+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749707193.122.6.16880TCP
                                      2025-01-11T05:44:17.317027+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749713104.21.112.1443TCP
                                      2025-01-11T05:44:18.661966+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749725104.21.112.1443TCP
                                      2025-01-11T05:44:21.524781+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749744104.21.112.1443TCP
                                      2025-01-11T05:44:24.089423+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749762193.122.6.16880TCP
                                      2025-01-11T05:44:24.964350+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749762193.122.6.16880TCP
                                      2025-01-11T05:44:25.519627+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749776104.21.112.1443TCP
                                      2025-01-11T05:44:26.214397+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749783193.122.6.16880TCP
                                      2025-01-11T05:44:27.448861+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749791193.122.6.16880TCP
                                      2025-01-11T05:44:30.694284+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749817104.21.112.1443TCP
                                      2025-01-11T05:44:31.996574+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749823104.21.112.1443TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 11, 2025 05:44:11.956439018 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:11.961349010 CET8049701193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:11.961441994 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:11.965744972 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:11.970561028 CET8049701193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:12.597281933 CET8049701193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:12.601984024 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:12.606765985 CET8049701193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:12.788983107 CET8049701193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:12.839144945 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:12.844633102 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:12.844656944 CET44349702104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:12.847904921 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:12.858766079 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:12.858783007 CET44349702104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:13.343553066 CET44349702104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:13.343748093 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.350959063 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.350981951 CET44349702104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:13.351289034 CET44349702104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:13.401638985 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.414532900 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.455334902 CET44349702104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:13.534130096 CET44349702104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:13.534195900 CET44349702104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:13.535898924 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.554713964 CET49702443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.559809923 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:13.564593077 CET8049701193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:13.746769905 CET8049701193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:13.792315960 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:13.826977015 CET49703443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.827102900 CET44349703104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:13.827193975 CET49703443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.828111887 CET49703443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:13.828140020 CET44349703104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:14.282782078 CET44349703104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:14.305496931 CET49703443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:14.305583000 CET44349703104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:14.428663969 CET44349703104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:14.428752899 CET44349703104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:14.428864002 CET49703443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:14.433964014 CET49703443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:14.752917051 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:14.758573055 CET8049701193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:14.758645058 CET4970180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:14.760576010 CET4970480192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:14.766767025 CET8049704193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:14.766843081 CET4970480192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:14.767126083 CET4970480192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:14.772177935 CET8049704193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:15.390126944 CET8049704193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:15.392182112 CET49706443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:15.392242908 CET44349706104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:15.392317057 CET49706443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:15.392640114 CET49706443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:15.392657042 CET44349706104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:15.432902098 CET4970480192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:15.846970081 CET44349706104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:15.849306107 CET49706443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:15.849351883 CET44349706104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:15.979640961 CET44349706104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:15.979708910 CET44349706104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:15.980150938 CET49706443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:15.980401993 CET49706443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:15.985378981 CET4970480192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:15.985384941 CET4970780192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:15.990216017 CET8049707193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:15.990329981 CET8049704193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:15.990341902 CET4970780192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:15.990463972 CET4970480192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:15.990464926 CET4970780192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:15.995505095 CET8049707193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:16.657473087 CET8049707193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:16.662161112 CET49713443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:16.662267923 CET44349713104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:16.662837982 CET49713443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:16.663203001 CET49713443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:16.663238049 CET44349713104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:16.698738098 CET4970780192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:17.170401096 CET44349713104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:17.172174931 CET49713443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:17.172218084 CET44349713104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:17.317064047 CET44349713104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:17.317141056 CET44349713104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:17.317214012 CET49713443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:17.331295013 CET49713443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:17.383300066 CET4971980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:17.388258934 CET8049719193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:17.388329983 CET4971980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:17.388576031 CET4971980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:17.393394947 CET8049719193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:18.014130116 CET8049719193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:18.017250061 CET49725443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:18.017297983 CET44349725104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:18.017682076 CET49725443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:18.018654108 CET49725443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:18.018671036 CET44349725104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:18.059957027 CET4971980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:18.502624035 CET44349725104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:18.516778946 CET49725443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:18.516817093 CET44349725104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:18.661982059 CET44349725104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:18.662043095 CET44349725104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:18.663703918 CET49725443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:18.688072920 CET49725443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:18.863374949 CET4971980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:18.864835024 CET4972980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:18.868491888 CET8049719193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:18.868571043 CET4971980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:18.869688034 CET8049729193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:18.869756937 CET4972980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:18.869885921 CET4972980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:18.874716997 CET8049729193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:19.514828920 CET8049729193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:19.516427040 CET49732443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:19.516474962 CET44349732104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:19.516546965 CET49732443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:19.516845942 CET49732443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:19.516858101 CET44349732104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:19.558001995 CET4972980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:19.988450050 CET44349732104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:19.990497112 CET49732443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:19.990525007 CET44349732104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:20.129419088 CET44349732104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:20.129487038 CET44349732104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:20.129559040 CET49732443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:20.130132914 CET49732443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:20.133616924 CET4972980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:20.134984970 CET4973880192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:20.138657093 CET8049729193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:20.139727116 CET8049738193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:20.139789104 CET4972980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:20.139832020 CET4973880192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:20.139964104 CET4973880192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:20.144711018 CET8049738193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:20.794580936 CET8049738193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:20.797094107 CET49744443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:20.797143936 CET44349744104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:20.797213078 CET49744443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:20.797540903 CET49744443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:20.797550917 CET44349744104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:20.839260101 CET4973880192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:21.267030001 CET44349744104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:21.272135973 CET49744443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:21.272185087 CET44349744104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:21.524806023 CET44349744104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:21.524878025 CET44349744104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:21.525074005 CET49744443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:21.538628101 CET49744443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:21.617753029 CET4973880192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:21.622900963 CET8049738193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:21.626138926 CET4975080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:21.626179934 CET4973880192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:21.630959988 CET8049750193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:21.631052017 CET4975080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:21.635050058 CET4975080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:21.639909029 CET8049750193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:22.285343885 CET8049750193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:22.303031921 CET49756443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:22.303086996 CET44349756104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:22.303162098 CET49756443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:22.304168940 CET49756443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:22.304187059 CET44349756104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:22.339327097 CET4975080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:22.767189980 CET44349756104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:22.769936085 CET49756443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:22.769974947 CET44349756104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:22.896955013 CET44349756104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:22.897152901 CET44349756104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:22.897200108 CET49756443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:22.897697926 CET49756443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:23.201390028 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:23.206480026 CET8049762193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:23.206563950 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:23.206820965 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:23.211653948 CET8049762193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:23.845026016 CET8049762193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:23.852066040 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:23.856983900 CET8049762193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:24.038342953 CET8049762193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:24.075109959 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.075151920 CET44349769104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.075582027 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.079547882 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.079564095 CET44349769104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.089422941 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:24.532954931 CET44349769104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.533994913 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.534842014 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.534851074 CET44349769104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.535183907 CET44349769104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.589359999 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.609777927 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.651334047 CET44349769104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.715065002 CET44349769104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.715152025 CET44349769104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.716131926 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.719923019 CET49769443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.723336935 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:24.728147030 CET8049762193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:24.912143946 CET8049762193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:24.914706945 CET49776443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.914751053 CET44349776104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.914813995 CET49776443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.915138960 CET49776443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:24.915152073 CET44349776104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:24.964349985 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:25.371685028 CET44349776104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:25.382870913 CET49776443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:25.382909060 CET44349776104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:25.519721031 CET44349776104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:25.519887924 CET44349776104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:25.519943953 CET49776443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:25.520410061 CET49776443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:25.526714087 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:25.530977011 CET4978380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:25.531713963 CET8049762193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:25.531779051 CET4976280192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:25.535866022 CET8049783193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:25.535948992 CET4978380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:25.536076069 CET4978380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:25.541567087 CET8049783193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:26.162110090 CET8049783193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:26.163671970 CET49788443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:26.163723946 CET44349788104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:26.168150902 CET49788443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:26.168530941 CET49788443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:26.168545961 CET44349788104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:26.214396954 CET4978380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:26.628144026 CET44349788104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:26.640300035 CET49788443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:26.640346050 CET44349788104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:26.756067991 CET44349788104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:26.756143093 CET44349788104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:26.756225109 CET49788443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:26.756757021 CET49788443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:26.760546923 CET4978380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:26.761990070 CET4979180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:26.765597105 CET8049783193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:26.765707016 CET4978380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:26.766896009 CET8049791193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:26.766984940 CET4979180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:26.767137051 CET4979180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:26.771986008 CET8049791193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:27.394572973 CET8049791193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:27.396373034 CET49797443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:27.396451950 CET44349797104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:27.396687984 CET49797443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:27.397027969 CET49797443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:27.397047043 CET44349797104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:27.448860884 CET4979180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:27.874036074 CET44349797104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:27.876177073 CET49797443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:27.876204014 CET44349797104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:28.010452032 CET44349797104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:28.010528088 CET44349797104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:28.010644913 CET49797443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:28.011158943 CET49797443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:28.030122995 CET4980180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:28.035037994 CET8049801193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:28.040177107 CET4980180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:28.040343046 CET4980180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:28.046664000 CET8049801193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:28.751349926 CET8049801193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:28.755548954 CET49807443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:28.755615950 CET44349807104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:28.755721092 CET49807443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:28.755996943 CET49807443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:28.756016016 CET44349807104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:28.808243036 CET4980180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:29.238116980 CET44349807104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:29.241491079 CET49807443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:29.241516113 CET44349807104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:29.393687963 CET44349807104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:29.393937111 CET44349807104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:29.394012928 CET49807443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:29.394412994 CET49807443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:29.398542881 CET4980180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:29.399596930 CET4981380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:29.403630018 CET8049801193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:29.403723955 CET4980180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:29.404529095 CET8049813193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:29.404601097 CET4981380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:29.418751001 CET4981380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:29.423813105 CET8049813193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:30.040564060 CET8049813193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:30.074724913 CET49817443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:30.074762106 CET44349817104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:30.074837923 CET49817443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:30.075165987 CET49817443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:30.075180054 CET44349817104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:30.089428902 CET4981380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:30.553752899 CET44349817104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:30.586169958 CET49817443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:30.586200953 CET44349817104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:30.694407940 CET44349817104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:30.694582939 CET44349817104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:30.694659948 CET49817443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:30.698523998 CET49817443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:30.737224102 CET4981380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:30.738900900 CET4982080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:30.742345095 CET8049813193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:30.742412090 CET4981380192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:30.743801117 CET8049820193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:30.743864059 CET4982080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:30.743983030 CET4982080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:30.748764992 CET8049820193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:31.369410992 CET8049820193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:31.374655008 CET49823443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:31.374703884 CET44349823104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:31.374771118 CET49823443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:31.375082970 CET49823443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:31.375098944 CET44349823104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:31.417591095 CET4982080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:31.829736948 CET44349823104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:31.831444025 CET49823443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:31.831535101 CET44349823104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:31.996584892 CET44349823104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:31.996640921 CET44349823104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:31.996792078 CET49823443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:31.997312069 CET49823443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:32.000883102 CET4982080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:32.002036095 CET4982980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:32.006001949 CET8049820193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:32.006920099 CET8049829193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:32.006997108 CET4982080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:32.007035971 CET4982980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:32.007167101 CET4982980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:32.011996031 CET8049829193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:32.641592026 CET8049829193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:44:32.643150091 CET49835443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:32.643193960 CET44349835104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:32.643291950 CET49835443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:32.643624067 CET49835443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:32.643640041 CET44349835104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:32.683260918 CET4982980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:44:33.117435932 CET44349835104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:33.138479948 CET49835443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:33.138516903 CET44349835104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:33.265141010 CET44349835104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:33.265233040 CET44349835104.21.112.1192.168.2.7
                                      Jan 11, 2025 05:44:33.265346050 CET49835443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:44:33.268115044 CET49835443192.168.2.7104.21.112.1
                                      Jan 11, 2025 05:45:21.658471107 CET8049707193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:45:21.658806086 CET4970780192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:45:27.287617922 CET8049750193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:45:27.287769079 CET4975080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:45:32.506222963 CET8049791193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:45:32.509315014 CET4979180192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:45:37.642745972 CET8049829193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:45:37.642904043 CET4982980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:46:02.313404083 CET4975080192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:46:02.318360090 CET8049750193.122.6.168192.168.2.7
                                      Jan 11, 2025 05:46:12.654488087 CET4982980192.168.2.7193.122.6.168
                                      Jan 11, 2025 05:46:12.659276962 CET8049829193.122.6.168192.168.2.7

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 11, 2025 05:44:11.896862030 CET4960853192.168.2.71.1.1.1
                                      Jan 11, 2025 05:44:11.903780937 CET53496081.1.1.1192.168.2.7
                                      Jan 11, 2025 05:44:12.834908009 CET6190053192.168.2.71.1.1.1
                                      Jan 11, 2025 05:44:12.842525005 CET53619001.1.1.1192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jan 11, 2025 05:44:11.896862030 CET192.168.2.71.1.1.10x3b90Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:12.834908009 CET192.168.2.71.1.1.10xbeafStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jan 11, 2025 05:44:11.903780937 CET1.1.1.1192.168.2.70x3b90No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                      Jan 11, 2025 05:44:11.903780937 CET1.1.1.1192.168.2.70x3b90No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:11.903780937 CET1.1.1.1192.168.2.70x3b90No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:11.903780937 CET1.1.1.1192.168.2.70x3b90No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:11.903780937 CET1.1.1.1192.168.2.70x3b90No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:11.903780937 CET1.1.1.1192.168.2.70x3b90No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:12.842525005 CET1.1.1.1192.168.2.70xbeafNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:12.842525005 CET1.1.1.1192.168.2.70xbeafNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:12.842525005 CET1.1.1.1192.168.2.70xbeafNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:12.842525005 CET1.1.1.1192.168.2.70xbeafNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:12.842525005 CET1.1.1.1192.168.2.70xbeafNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:12.842525005 CET1.1.1.1192.168.2.70xbeafNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:44:12.842525005 CET1.1.1.1192.168.2.70xbeafNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • reallyfreegeoip.org
                                      • checkip.dyndns.org

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749701193.122.6.168806952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:11.965744972 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:12.597281933 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:12 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                      Jan 11, 2025 05:44:12.601984024 CET127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jan 11, 2025 05:44:12.788983107 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:12 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                      Jan 11, 2025 05:44:13.559809923 CET127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jan 11, 2025 05:44:13.746769905 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:13 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.749704193.122.6.168806952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:14.767126083 CET127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jan 11, 2025 05:44:15.390126944 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:15 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.749707193.122.6.168806952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:15.990464926 CET127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jan 11, 2025 05:44:16.657473087 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:16 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.749719193.122.6.168806952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:17.388576031 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:18.014130116 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:17 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.749729193.122.6.168806952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:18.869885921 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:19.514828920 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:19 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.749738193.122.6.168806952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:20.139964104 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:20.794580936 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:20 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.749750193.122.6.168806952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:21.635050058 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:22.285343885 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:22 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.749762193.122.6.168806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:23.206820965 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:23.845026016 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:23 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                      Jan 11, 2025 05:44:23.852066040 CET127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jan 11, 2025 05:44:24.038342953 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:23 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                      Jan 11, 2025 05:44:24.723336935 CET127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jan 11, 2025 05:44:24.912143946 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:24 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.749783193.122.6.168806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:25.536076069 CET127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jan 11, 2025 05:44:26.162110090 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:26 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.749791193.122.6.168806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:26.767137051 CET127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jan 11, 2025 05:44:27.394572973 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:27 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.749801193.122.6.168806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:28.040343046 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:28.751349926 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:28 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      11192.168.2.749813193.122.6.16880
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:29.418751001 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:30.040564060 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:29 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      12192.168.2.749820193.122.6.168806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:30.743983030 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:31.369410992 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:31 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      13192.168.2.749829193.122.6.168806480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:44:32.007167101 CET151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:44:32.641592026 CET273INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:32 GMT
                                      Content-Type: text/html
                                      Content-Length: 104
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749702104.21.112.14436952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:13 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:13 UTC849INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:13 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885442
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HLck3tQU9oSXbgHf9842Oh9Oxdb7xJa66mjcMoYKEfumBxhZBjrqVcJzGOMDfjEFuUBaAqiEDwIIYQDzz2hyPi7KSUjgDmz4Ia2dJWREdFL2OYO2xWllIqJAC5LlF4QAHKbyC1xM"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 900240183fe7c34f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1482&rtt_var=563&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1931216&cwnd=181&unsent_bytes=0&cid=078bd9380417d4cc&ts=207&x=0"
                                      2025-01-11 04:44:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.749703104.21.112.14436952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:14 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2025-01-11 04:44:14 UTC855INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:14 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885443
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QzT6%2FPiwVEp6PgYdP9hJ0D9R3MMa%2BaMj32PTxnzyHqhTatypRezlCg7PGw9aQrmnFMwQn7ApnHzMC8KwgArRROG5zB0cGIFDSlAibE7Bk1g2pPkyNr8BQv9tVWZ2NT2c7S4U%2FGzu"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 9002401decbfc34f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1493&rtt_var=614&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1955793&cwnd=181&unsent_bytes=0&cid=d7e5ab3883893e41&ts=149&x=0"
                                      2025-01-11 04:44:14 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.749706104.21.112.14436952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:15 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:15 UTC857INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:15 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885445
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3J9G4kdIYpvLYGWnWwE9UIsS0j%2FPJc4eOiUsdP9xH%2F8f51iNwOC6FdAQbtP4QBRLdJIjmGLW43hn6fX%2BLzncYw%2FQeIjohJ23MrjwdInx5NupOGlVfi5V3n1LhtIVB4bepRUcNmWv"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 900240279caf43b3-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1602&rtt_var=603&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1810291&cwnd=203&unsent_bytes=0&cid=4fedfedb987824d6&ts=137&x=0"
                                      2025-01-11 04:44:15 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.749713104.21.112.14436952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:17 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2025-01-11 04:44:17 UTC855INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:17 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885446
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q4g01lNiZDCwa2NfHyD0SBsgy93pwui6Ppx4cqq7ikaNfyAWUU9eQbbcIhkdEc0OYYROb2ljS6FwMLNtdUsXSze%2BmMeAOfs0%2Fj%2BqGCetvkk9UMtfdmEDcM5PfotvfJbXWwRCVMW9"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 9002402ffd69c34f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1442&min_rtt=1434&rtt_var=554&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1945369&cwnd=181&unsent_bytes=0&cid=76bc3da022e058ba&ts=153&x=0"
                                      2025-01-11 04:44:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.749725104.21.112.14436952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:18 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2025-01-11 04:44:18 UTC855INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:18 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885447
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gUdfN80WJHhNGibxy5a3sZ34btOoAk4Awx3dYP4qmkK7tZwgWHXr3k%2F0B%2F65wOu9CRqqrt8e%2BmHyXY5BdsJ5eh0AXj8GvB03VEZb9Rspi54yHlvR2EMd9c0HUr9PW98NCUgogAtA"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 9002403848e4727b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1886&min_rtt=1878&rtt_var=720&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1503604&cwnd=234&unsent_bytes=0&cid=21d5f540aec6494e&ts=164&x=0"
                                      2025-01-11 04:44:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.749732104.21.112.14436952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:19 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:20 UTC851INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:20 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885449
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XlzYJMCxcRjIyCM4s3I3O6S7y5rraD4PJAQAmHs8B0cXEbCxUY45JWcmpZ0Z3rjsAmqmLjbsNsovrwgQzMjej5iTehN95MLyKu02yhrM%2BYrNDFVqHgtZMRGAgHQ0o62cb4E5HsEj"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 900240417fa843b3-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1572&rtt_var=591&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1849271&cwnd=203&unsent_bytes=0&cid=b1a1ef72efd37f2e&ts=144&x=0"
                                      2025-01-11 04:44:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.749744104.21.112.14436952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:21 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2025-01-11 04:44:21 UTC851INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:21 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885450
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DalBYepSTk5kj5Foy5vrJqhc%2Bqx3XOz92KC079jDvIoZZAqCCNFV8ROG9eaNx5071BECtPIZFkuRADwtRQmwyTb61DfFBVoQdufQpN7aAOM8GMdEHovGQBHMkrdJsMQjEJVq1rug"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 9002404a08620f5b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1616&rtt_var=618&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1754807&cwnd=221&unsent_bytes=0&cid=9eea253f681fd8c5&ts=240&x=0"
                                      2025-01-11 04:44:21 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.749756104.21.112.14436952C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:22 UTC861INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:22 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885451
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7HOinA%2FoqnKayDU0PkuvDR4AEVQiOb%2FLxGSWyYdZL2qe5JzUSG%2BYd8Oq619q15HS3SzowrDhx5%2FvRR7nf6B8euSgy%2FQ5kqb4wk06PMBxLf65g%2BdPKntIAaOLnAImjAWHSwGOSZUZ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 90024052da370f5b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1578&rtt_var=601&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1808049&cwnd=221&unsent_bytes=0&cid=9b3e17142ed16950&ts=136&x=0"
                                      2025-01-11 04:44:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.749769104.21.112.14436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:24 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:24 UTC853INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:24 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885453
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Rf9vjG7uGKI7UmxQE80KziVR1xmy6AOEwRnNO%2F2%2BfmSkXwAH7MP1Dy5iOpmFpkngWuEwXntugUYXtKKKeoFshSltAA9MxMVYveJZm5yzRhgISsI77bN1map3A9ImdEge4m6c8dN"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 9002405e3b44727b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1886&rtt_var=731&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1473259&cwnd=234&unsent_bytes=0&cid=af82258923204b66&ts=185&x=0"
                                      2025-01-11 04:44:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.749776104.21.112.14436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:25 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2025-01-11 04:44:25 UTC863INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:25 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885454
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kDKi%2FoNjJWPNooo4tbQBVZtuTqbwCe85%2FbcLSbRjA%2B6DRMojGKchzI5qFf9ElIegYCoMsDinKV2%2B5OvGsYCR9r9WZrRp3BaR9hMgn%2B0QPzhnHVytI%2FtExshBZjH%2Bny7EvTViIaNy"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 900240633907727b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1959&rtt_var=735&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1489036&cwnd=234&unsent_bytes=0&cid=998751a2948efcd2&ts=155&x=0"
                                      2025-01-11 04:44:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.749788104.21.112.14436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:26 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:26 UTC862INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:26 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885455
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tLbIZgd8SD6SoBWWVMSrzZ3U4hlZ%2FzOMd8gqJQyyXzj%2B6aVwFUWY%2BBXwpZ9RjVL8C1Ba0b2IuELwHxVWxZ96rCG8SNdvVB%2FArkT51dRWUZ6HV1NqgprTZwF1E9%2B%2ByKBmoqfeXi8e"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 9002406afbfd0f5b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=5171&min_rtt=1665&rtt_var=2872&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1753753&cwnd=221&unsent_bytes=0&cid=6b4def70d23914b5&ts=131&x=0"
                                      2025-01-11 04:44:26 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      11192.168.2.749797104.21.112.14436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:27 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:28 UTC861INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:27 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885457
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CXQTpppSlQNthZzdiEHU%2FzoB5AJ1K%2BlbiWrD0LH2Db6p%2B1CCB3yGk9asD2YpGyVWcQpxTegTaijkwRpkY4TFuissS8%2F4TI4WI85RxvV%2Fs0ihbvDuaA7yt7dfDIrpAsb%2FUrbU0MR4"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 90024072caab727b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1980&rtt_var=762&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1417475&cwnd=234&unsent_bytes=0&cid=ec3a48b944304e4a&ts=139&x=0"
                                      2025-01-11 04:44:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      12192.168.2.749807104.21.112.14436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:29 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:29 UTC863INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:29 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885458
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lp9v%2F%2FX42adaBYzcfJHVs2%2FCFSw7UFB7loG%2B9DEYXLdWy7r7nJRXC6LMnzYP3bwHalvl1h5Ah4%2BjrS4BMY4xqRfJXdC%2F9%2F6GMm2G2gb2f32rJblsEuN6qQgk3BQlcBzO1HudJMVi"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 9002407b6cac727b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1976&min_rtt=1973&rtt_var=746&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1460730&cwnd=234&unsent_bytes=0&cid=dda9caeae16a569f&ts=166&x=0"
                                      2025-01-11 04:44:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      13192.168.2.749817104.21.112.14436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:30 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2025-01-11 04:44:30 UTC853INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:30 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885459
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zI%2FMcJelMy1cCRajGiMcw%2B9UtnOvwtRC9Dz0HzK1qcDg7DZsPzl9hpmPNmuQ4a2WIP3LUrQgtIDBJ3g7rpC8odpjMQIX6OJE0QBcoBlQ5CN2dRQaWuXtN0zyNWOm9OezdbzvFbCD"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 900240838cf643b3-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1570&rtt_var=600&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1808049&cwnd=203&unsent_bytes=0&cid=62108686afc4bfef&ts=149&x=0"
                                      2025-01-11 04:44:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      14192.168.2.749823104.21.112.14436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:31 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2025-01-11 04:44:31 UTC855INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:31 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885461
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2ZfoTML55VS45OLm82Oj6QjJw8OtMLfqfdK5wXf6mbqYFYTeH9NYiCn4QTGyG9JnLY5UVNUHQftTP%2BfkBtKhUZx4gB0dQuIN0v0f%2FZkOQ7A6gyEgu%2F2YMhu7m7BwL79OM6jyiPu"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 9002408b9850424b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1567&rtt_var=609&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1765417&cwnd=248&unsent_bytes=0&cid=c44c74295af6e505&ts=156&x=0"
                                      2025-01-11 04:44:31 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      15192.168.2.749835104.21.112.14436480C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      2025-01-11 04:44:33 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2025-01-11 04:44:33 UTC853INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:44:33 GMT
                                      Content-Type: text/xml
                                      Content-Length: 362
                                      Connection: close
                                      Age: 1885462
                                      Cache-Control: max-age=31536000
                                      cf-cache-status: HIT
                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qy7eW%2BDsrK1H0LwBAlltQdqErec8WJZhyRcq5BDMgBrawYdOQmwnTjHmg20QOJHjObrbAWovSvPLGBLPJwWdznWbQIGUxqR2FkYR5se334SvCCSe3Mho3tdW3sS%2BOsll6lfYvW4Z"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 900240937f4cc34f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      server-timing: cfL4;desc="?proto=TCP&rtt=1522&min_rtt=1514&rtt_var=585&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1842271&cwnd=181&unsent_bytes=0&cid=84c3bebf07764a3a&ts=146&x=0"
                                      2025-01-11 04:44:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:5
                                      Start time:23:44:06
                                      Start date:10/01/2025
                                      Path:C:\Users\user\Desktop\prgNb8YFEA.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\prgNb8YFEA.exe"
                                      Imagebase:0xd20000
                                      File size:609'280 bytes
                                      MD5 hash:5314DC731381DE014B294374B0EB7666
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:23:44:07
                                      Start date:10/01/2025
                                      Path:C:\Users\user\AppData\Local\Milburr\brontothere.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\prgNb8YFEA.exe"
                                      Imagebase:0xb10000
                                      File size:609'280 bytes
                                      MD5 hash:5314DC731381DE014B294374B0EB7666
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000007.00000002.1312613369.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 61%, ReversingLabs
                                      • Detection: 73%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:23:44:09
                                      Start date:10/01/2025
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\prgNb8YFEA.exe"
                                      Imagebase:0xb90000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.3752407618.0000000000415000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3754613774.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3754613774.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:10
                                      Start time:23:44:18
                                      Start date:10/01/2025
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs"
                                      Imagebase:0x7ff76b730000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:23:44:19
                                      Start date:10/01/2025
                                      Path:C:\Users\user\AppData\Local\Milburr\brontothere.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Milburr\brontothere.exe"
                                      Imagebase:0xb10000
                                      File size:609'280 bytes
                                      MD5 hash:5314DC731381DE014B294374B0EB7666
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.1424887574.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:23:44:20
                                      Start date:10/01/2025
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Milburr\brontothere.exe"
                                      Imagebase:0x310000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3754528656.000000000283B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3754528656.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.6%
                                        Dynamic/Decrypted Code Coverage:0.4%
                                        Signature Coverage:8.6%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:169
                                        execution_graph 98706 d60226 98707 d2ade2 Mailbox 98706->98707 98709 d60c86 98707->98709 98711 d60c8f 98707->98711 98713 d600e0 VariantClear 98707->98713 98714 d2b6c1 98707->98714 98718 d9e237 98707->98718 98721 da23c9 98707->98721 98759 d29df0 59 API calls Mailbox 98707->98759 98760 d77405 59 API calls 98707->98760 98762 d766f4 59 API calls Mailbox 98709->98762 98713->98707 98761 d8a0b5 89 API calls 4 library calls 98714->98761 98763 d9cdf1 98718->98763 98720 d9e247 98720->98707 98722 d277c7 59 API calls 98721->98722 98723 da23e0 98722->98723 98724 d29997 84 API calls 98723->98724 98725 da23ef 98724->98725 98966 d27b76 98725->98966 98728 d29997 84 API calls 98729 da240f 98728->98729 98730 da2429 98729->98730 98731 da249d 98729->98731 98994 d29c9c 59 API calls 98730->98994 98733 d29997 84 API calls 98731->98733 98735 da24a2 98733->98735 98734 da242e 98736 da248c 98734->98736 98739 da2445 98734->98739 98737 da24ce 98735->98737 98738 da24b0 98735->98738 99004 d29bf8 59 API calls Mailbox 98736->99004 98744 da24e3 98737->98744 99006 d29c9c 59 API calls 98737->99006 99005 d29bf8 59 API calls Mailbox 98738->99005 98742 d279ab 59 API calls 98739->98742 98747 da2452 98742->98747 98745 da24f8 98744->98745 99007 d29c9c 59 API calls 98744->99007 98971 d280d7 98745->98971 98995 d27c8e 98747->98995 98749 da2512 98975 d7f8f2 98749->98975 98753 d279ab 59 API calls 98754 da2479 98753->98754 98755 d27c8e 59 API calls 98754->98755 98758 da2487 98755->98758 98756 da2499 Mailbox 98756->98707 99008 d29b9c 59 API calls Mailbox 98758->99008 98759->98707 98760->98707 98761->98709 98762->98711 98801 d29997 98763->98801 98767 d9d0cd 98768 d9d242 98767->98768 98772 d9d0db 98767->98772 98869 d9dbdc 92 API calls Mailbox 98768->98869 98771 d9d251 98771->98772 98773 d9d25d 98771->98773 98832 d9cc82 98772->98832 98789 d9ce75 Mailbox 98773->98789 98774 d29997 84 API calls 98792 d9cec6 Mailbox 98774->98792 98779 d9d114 98847 d40e48 98779->98847 98782 d9d12e 98853 d8a0b5 89 API calls 4 library calls 98782->98853 98783 d9d147 98854 d2942e 98783->98854 98786 d9d139 GetCurrentProcess TerminateProcess 98786->98783 98789->98720 98792->98767 98792->98774 98792->98789 98851 d8f835 59 API calls 2 library calls 98792->98851 98852 d9d2f3 61 API calls 2 library calls 98792->98852 98793 d9d2b8 98793->98789 98797 d9d2cc FreeLibrary 98793->98797 98794 d9d17f 98866 d9d95d 107 API calls _free 98794->98866 98797->98789 98800 d9d190 98800->98793 98867 d28ea0 59 API calls Mailbox 98800->98867 98868 d29e9c 60 API calls Mailbox 98800->98868 98870 d9d95d 107 API calls _free 98800->98870 98802 d299b1 98801->98802 98811 d299ab 98801->98811 98803 d5f903 98802->98803 98804 d299f9 98802->98804 98805 d299b7 __itow 98802->98805 98806 d5f9fc __i64tow 98802->98806 98812 d40ff6 Mailbox 59 API calls 98803->98812 98814 d5f97b Mailbox _wcscpy 98803->98814 98885 d438d8 83 API calls 4 library calls 98804->98885 98871 d40ff6 98805->98871 98806->98806 98810 d299d1 98810->98811 98881 d27f41 98810->98881 98811->98789 98819 d9dab9 98811->98819 98815 d5f948 98812->98815 98886 d438d8 83 API calls 4 library calls 98814->98886 98816 d40ff6 Mailbox 59 API calls 98815->98816 98817 d5f96e 98816->98817 98817->98814 98818 d27f41 59 API calls 98817->98818 98818->98814 98915 d27faf 98819->98915 98821 d9dad4 CharLowerBuffW 98919 d7f658 98821->98919 98828 d9db6c Mailbox 98828->98792 98829 d9db24 98944 d27e8c 98829->98944 98831 d9db30 Mailbox 98831->98828 98948 d9d2f3 61 API calls 2 library calls 98831->98948 98833 d9cc9d 98832->98833 98837 d9ccf2 98832->98837 98834 d40ff6 Mailbox 59 API calls 98833->98834 98835 d9ccbf 98834->98835 98836 d40ff6 Mailbox 59 API calls 98835->98836 98835->98837 98836->98835 98838 d9dd64 98837->98838 98839 d9df8d Mailbox 98838->98839 98846 d9dd87 _strcat _wcscpy __NMSG_WRITE 98838->98846 98839->98779 98840 d29d46 59 API calls 98840->98846 98841 d29c9c 59 API calls 98841->98846 98842 d29cf8 59 API calls 98842->98846 98843 d29997 84 API calls 98843->98846 98844 d4594c 58 API calls std::exception::_Copy_str 98844->98846 98846->98839 98846->98840 98846->98841 98846->98842 98846->98843 98846->98844 98955 d85b29 61 API calls 2 library calls 98846->98955 98849 d40e5d 98847->98849 98848 d40ef5 VirtualProtect 98850 d40ec3 98848->98850 98849->98848 98849->98850 98850->98782 98850->98783 98851->98792 98852->98792 98853->98786 98855 d29436 98854->98855 98856 d40ff6 Mailbox 59 API calls 98855->98856 98857 d29444 98856->98857 98858 d29450 98857->98858 98956 d2935c 59 API calls Mailbox 98857->98956 98860 d291b0 98858->98860 98957 d292c0 98860->98957 98862 d291bf 98863 d40ff6 Mailbox 59 API calls 98862->98863 98864 d2925b 98862->98864 98863->98864 98864->98800 98865 d28ea0 59 API calls Mailbox 98864->98865 98865->98794 98866->98800 98867->98800 98868->98800 98869->98771 98870->98800 98873 d40ffe 98871->98873 98874 d41018 98873->98874 98876 d4101c std::exception::exception 98873->98876 98887 d4594c 98873->98887 98904 d435e1 RtlDecodePointer 98873->98904 98874->98810 98905 d487db RaiseException 98876->98905 98878 d41046 98906 d48711 58 API calls _free 98878->98906 98880 d41058 98880->98810 98882 d27f50 __NMSG_WRITE _memmove 98881->98882 98883 d40ff6 Mailbox 59 API calls 98882->98883 98884 d27f8e 98883->98884 98884->98811 98885->98805 98886->98806 98888 d459c7 98887->98888 98889 d45958 98887->98889 98913 d435e1 RtlDecodePointer 98888->98913 98891 d45963 98889->98891 98895 d4598b RtlAllocateHeap 98889->98895 98898 d459b3 98889->98898 98902 d459b1 98889->98902 98910 d435e1 RtlDecodePointer 98889->98910 98891->98889 98907 d4a3ab 58 API calls __NMSG_WRITE 98891->98907 98908 d4a408 58 API calls 5 library calls 98891->98908 98909 d432df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98891->98909 98892 d459cd 98914 d48d68 58 API calls __getptd_noexit 98892->98914 98895->98889 98897 d459bf 98895->98897 98897->98873 98911 d48d68 58 API calls __getptd_noexit 98898->98911 98912 d48d68 58 API calls __getptd_noexit 98902->98912 98904->98873 98905->98878 98906->98880 98907->98891 98908->98891 98910->98889 98911->98902 98912->98897 98913->98892 98914->98897 98916 d27fc2 98915->98916 98918 d27fbf _memmove 98915->98918 98917 d40ff6 Mailbox 59 API calls 98916->98917 98917->98918 98918->98821 98920 d7f683 __NMSG_WRITE 98919->98920 98921 d7f6c2 98920->98921 98924 d7f6b8 98920->98924 98925 d7f769 98920->98925 98921->98831 98926 d277c7 98921->98926 98924->98921 98949 d27a24 61 API calls 98924->98949 98925->98921 98950 d27a24 61 API calls 98925->98950 98927 d40ff6 Mailbox 59 API calls 98926->98927 98928 d277e8 98927->98928 98929 d40ff6 Mailbox 59 API calls 98928->98929 98930 d277f6 98929->98930 98931 d279ab 98930->98931 98932 d27a17 98931->98932 98933 d279ba 98931->98933 98934 d27e8c 59 API calls 98932->98934 98933->98932 98935 d279c5 98933->98935 98941 d279e8 _memmove 98934->98941 98936 d279e0 98935->98936 98937 d5ef32 98935->98937 98951 d28087 59 API calls Mailbox 98936->98951 98952 d28189 98937->98952 98940 d5ef3c 98942 d40ff6 Mailbox 59 API calls 98940->98942 98941->98829 98943 d5ef5c 98942->98943 98945 d27e9a 98944->98945 98947 d27ea3 _memmove 98944->98947 98946 d27faf 59 API calls 98945->98946 98945->98947 98946->98947 98947->98831 98948->98828 98949->98924 98950->98925 98951->98941 98953 d40ff6 Mailbox 59 API calls 98952->98953 98954 d28193 98953->98954 98954->98940 98955->98846 98956->98858 98958 d292c9 Mailbox 98957->98958 98959 d5f5c8 98958->98959 98963 d292d3 98958->98963 98960 d40ff6 Mailbox 59 API calls 98959->98960 98962 d5f5d4 98960->98962 98961 d292da 98961->98862 98963->98961 98965 d29df0 59 API calls Mailbox 98963->98965 98965->98963 98967 d40ff6 Mailbox 59 API calls 98966->98967 98968 d27b9b 98967->98968 98969 d28189 59 API calls 98968->98969 98970 d27baa 98969->98970 98970->98728 98972 d280e7 98971->98972 98974 d280fa _memmove 98971->98974 98973 d40ff6 Mailbox 59 API calls 98972->98973 98972->98974 98973->98974 98974->98749 98976 d277c7 59 API calls 98975->98976 98977 d7f905 98976->98977 98978 d27b76 59 API calls 98977->98978 98979 d7f919 98978->98979 98980 d7f658 61 API calls 98979->98980 98986 d7f93b 98979->98986 98981 d7f935 98980->98981 98984 d279ab 59 API calls 98981->98984 98981->98986 98982 d7f658 61 API calls 98982->98986 98983 d7f9b5 98987 d279ab 59 API calls 98983->98987 98984->98986 98985 d279ab 59 API calls 98985->98986 98986->98982 98986->98983 98986->98985 98990 d27c8e 59 API calls 98986->98990 98988 d7f9ce 98987->98988 98989 d27c8e 59 API calls 98988->98989 98991 d7f9da 98989->98991 98990->98986 98992 d280d7 59 API calls 98991->98992 98993 d7f9e9 Mailbox 98991->98993 98992->98993 98993->98758 98994->98734 98996 d5f094 98995->98996 98997 d27ca0 98995->98997 99015 d78123 59 API calls _memmove 98996->99015 99009 d27bb1 98997->99009 99000 d27cac 99000->98753 99001 d5f09e 99016 d281a7 99001->99016 99003 d5f0a6 Mailbox 99004->98756 99005->98756 99006->98744 99007->98745 99008->98756 99010 d27bbf 99009->99010 99011 d27be5 _memmove 99009->99011 99010->99011 99012 d40ff6 Mailbox 59 API calls 99010->99012 99011->99000 99013 d27c34 99012->99013 99014 d40ff6 Mailbox 59 API calls 99013->99014 99014->99011 99015->99001 99017 d281b2 99016->99017 99018 d281ba 99016->99018 99019 d280d7 59 API calls 99017->99019 99018->99003 99019->99018 99020 d23633 99021 d2366a 99020->99021 99022 d236e7 99021->99022 99023 d23688 99021->99023 99060 d236e5 99021->99060 99027 d5d31c 99022->99027 99028 d236ed 99022->99028 99024 d23695 99023->99024 99025 d2375d PostQuitMessage 99023->99025 99029 d236a0 99024->99029 99030 d5d38f 99024->99030 99061 d236d8 99025->99061 99026 d236ca NtdllDefWindowProc_W 99026->99061 99070 d311d0 10 API calls Mailbox 99027->99070 99032 d236f2 99028->99032 99033 d23715 SetTimer RegisterClipboardFormatW 99028->99033 99036 d23767 99029->99036 99037 d236a8 99029->99037 99085 d82a16 71 API calls _memset 99030->99085 99034 d5d2bf 99032->99034 99035 d236f9 KillTimer 99032->99035 99038 d2373e CreatePopupMenu 99033->99038 99033->99061 99046 d5d2c4 99034->99046 99047 d5d2f8 MoveWindow 99034->99047 99065 d244cb Shell_NotifyIconW _memset 99035->99065 99068 d24531 64 API calls _memset 99036->99068 99042 d236b3 99037->99042 99051 d5d374 99037->99051 99038->99061 99040 d5d343 99071 d311f3 331 API calls Mailbox 99040->99071 99052 d2374b 99042->99052 99053 d236be 99042->99053 99043 d5d3a1 99043->99026 99043->99061 99048 d5d2e7 SetFocus 99046->99048 99049 d5d2c8 99046->99049 99047->99061 99048->99061 99049->99053 99055 d5d2d1 99049->99055 99050 d2370c 99066 d23114 DeleteObject DestroyWindow Mailbox 99050->99066 99051->99026 99084 d7817e 59 API calls Mailbox 99051->99084 99067 d245df 81 API calls _memset 99052->99067 99053->99026 99072 d244cb Shell_NotifyIconW _memset 99053->99072 99054 d2375b 99054->99061 99069 d311d0 10 API calls Mailbox 99055->99069 99060->99026 99063 d5d368 99073 d243db 99063->99073 99065->99050 99066->99061 99067->99054 99068->99054 99069->99061 99070->99040 99071->99053 99072->99063 99074 d24406 _memset 99073->99074 99086 d24213 99074->99086 99077 d2448b 99079 d244c1 Shell_NotifyIconW 99077->99079 99080 d244a5 Shell_NotifyIconW 99077->99080 99081 d244b3 99079->99081 99080->99081 99090 d2410d 99081->99090 99083 d244ba 99083->99060 99084->99060 99085->99043 99087 d24227 99086->99087 99088 d5d638 99086->99088 99087->99077 99112 d83226 62 API calls _W_store_winword 99087->99112 99088->99087 99089 d5d641 DestroyCursor 99088->99089 99089->99087 99091 d24200 Mailbox 99090->99091 99092 d24129 99090->99092 99091->99083 99093 d27b76 59 API calls 99092->99093 99094 d24137 99093->99094 99095 d24144 99094->99095 99096 d5d5dd LoadStringW 99094->99096 99113 d27d2c 99095->99113 99099 d5d5f7 99096->99099 99098 d24159 99098->99099 99100 d2416a 99098->99100 99101 d27c8e 59 API calls 99099->99101 99102 d24174 99100->99102 99103 d24205 99100->99103 99106 d5d601 99101->99106 99105 d27c8e 59 API calls 99102->99105 99104 d281a7 59 API calls 99103->99104 99109 d2417e _memset _wcscpy 99104->99109 99105->99109 99106->99109 99122 d27e0b 99106->99122 99108 d5d623 99111 d27e0b 59 API calls 99108->99111 99110 d241e6 Shell_NotifyIconW 99109->99110 99110->99091 99111->99109 99112->99077 99114 d27da5 99113->99114 99115 d27d38 __NMSG_WRITE 99113->99115 99116 d27e8c 59 API calls 99114->99116 99117 d27d73 99115->99117 99118 d27d4e 99115->99118 99121 d27d56 _memmove 99116->99121 99120 d28189 59 API calls 99117->99120 99129 d28087 59 API calls Mailbox 99118->99129 99120->99121 99121->99098 99123 d5f173 99122->99123 99124 d27e1f 99122->99124 99126 d28189 59 API calls 99123->99126 99130 d27db0 99124->99130 99128 d5f17e __NMSG_WRITE _memmove 99126->99128 99127 d27e2a 99127->99108 99129->99121 99131 d27dbf __NMSG_WRITE 99130->99131 99132 d28189 59 API calls 99131->99132 99133 d27dd0 _memmove 99131->99133 99134 d5f130 _memmove 99132->99134 99133->99127 99135 e37080 99136 e37090 99135->99136 99137 e371aa LoadLibraryA 99136->99137 99140 e371ef VirtualProtect VirtualProtect 99136->99140 99138 e371c1 99137->99138 99138->99136 99142 e371d3 GetProcAddress 99138->99142 99141 e37254 99140->99141 99141->99141 99142->99138 99143 e371e9 ExitProcess 99142->99143 99144 d21066 99149 d2f8cf 99144->99149 99146 d2106c 99182 d42f80 99146->99182 99150 d2f8f0 99149->99150 99185 d40143 99150->99185 99154 d2f937 99155 d277c7 59 API calls 99154->99155 99156 d2f941 99155->99156 99157 d277c7 59 API calls 99156->99157 99158 d2f94b 99157->99158 99159 d277c7 59 API calls 99158->99159 99160 d2f955 99159->99160 99161 d277c7 59 API calls 99160->99161 99162 d2f993 99161->99162 99163 d277c7 59 API calls 99162->99163 99164 d2fa5e 99163->99164 99195 d360e7 99164->99195 99168 d2fa90 99169 d277c7 59 API calls 99168->99169 99170 d2fa9a 99169->99170 99223 d3ffde 99170->99223 99172 d2fae1 99173 d2faf1 GetStdHandle 99172->99173 99174 d649d5 99173->99174 99175 d2fb3d 99173->99175 99174->99175 99176 d649de 99174->99176 99177 d2fb45 OleInitialize 99175->99177 99230 d86dda 64 API calls Mailbox 99176->99230 99177->99146 99179 d649e5 99231 d874a9 CreateThread 99179->99231 99181 d649f1 CloseHandle 99181->99177 99244 d42e84 99182->99244 99184 d21076 99232 d4021c 99185->99232 99188 d4021c 59 API calls 99189 d40185 99188->99189 99190 d277c7 59 API calls 99189->99190 99191 d40191 99190->99191 99192 d27d2c 59 API calls 99191->99192 99193 d2f8f6 99192->99193 99194 d403a2 6 API calls 99193->99194 99194->99154 99196 d277c7 59 API calls 99195->99196 99197 d360f7 99196->99197 99198 d277c7 59 API calls 99197->99198 99199 d360ff 99198->99199 99239 d35bfd 99199->99239 99202 d35bfd 59 API calls 99203 d3610f 99202->99203 99204 d277c7 59 API calls 99203->99204 99205 d3611a 99204->99205 99206 d40ff6 Mailbox 59 API calls 99205->99206 99207 d2fa68 99206->99207 99208 d36259 99207->99208 99209 d36267 99208->99209 99210 d277c7 59 API calls 99209->99210 99211 d36272 99210->99211 99212 d277c7 59 API calls 99211->99212 99213 d3627d 99212->99213 99214 d277c7 59 API calls 99213->99214 99215 d36288 99214->99215 99216 d277c7 59 API calls 99215->99216 99217 d36293 99216->99217 99218 d35bfd 59 API calls 99217->99218 99219 d3629e 99218->99219 99220 d40ff6 Mailbox 59 API calls 99219->99220 99221 d362a5 RegisterClipboardFormatW 99220->99221 99221->99168 99224 d75cc3 99223->99224 99225 d3ffee 99223->99225 99242 d89d71 60 API calls 99224->99242 99227 d40ff6 Mailbox 59 API calls 99225->99227 99229 d3fff6 99227->99229 99228 d75cce 99229->99172 99230->99179 99231->99181 99243 d8748f 65 API calls 99231->99243 99233 d277c7 59 API calls 99232->99233 99234 d40227 99233->99234 99235 d277c7 59 API calls 99234->99235 99236 d4022f 99235->99236 99237 d277c7 59 API calls 99236->99237 99238 d4017b 99237->99238 99238->99188 99240 d277c7 59 API calls 99239->99240 99241 d35c05 99240->99241 99241->99202 99242->99228 99245 d42e90 __alloc_osfhnd 99244->99245 99252 d43457 99245->99252 99251 d42eb7 __alloc_osfhnd 99251->99184 99269 d49e4b 99252->99269 99254 d42e99 99255 d42ec8 RtlDecodePointer RtlDecodePointer 99254->99255 99256 d42ef5 99255->99256 99257 d42ea5 99255->99257 99256->99257 99315 d489e4 59 API calls 2 library calls 99256->99315 99266 d42ec2 99257->99266 99259 d42f58 RtlEncodePointer RtlEncodePointer 99259->99257 99260 d42f07 99260->99259 99261 d42f2c 99260->99261 99316 d48aa4 61 API calls 2 library calls 99260->99316 99261->99257 99264 d42f46 RtlEncodePointer 99261->99264 99317 d48aa4 61 API calls 2 library calls 99261->99317 99264->99259 99265 d42f40 99265->99257 99265->99264 99318 d43460 99266->99318 99270 d49e5c 99269->99270 99271 d49e6f RtlEnterCriticalSection 99269->99271 99276 d49ed3 99270->99276 99271->99254 99273 d49e62 99273->99271 99300 d432f5 58 API calls 3 library calls 99273->99300 99277 d49edf __alloc_osfhnd 99276->99277 99278 d49f00 99277->99278 99279 d49ee8 99277->99279 99287 d49f21 __alloc_osfhnd 99278->99287 99304 d48a5d 58 API calls 2 library calls 99278->99304 99301 d4a3ab 58 API calls __NMSG_WRITE 99279->99301 99282 d49eed 99302 d4a408 58 API calls 5 library calls 99282->99302 99283 d49f15 99285 d49f1c 99283->99285 99286 d49f2b 99283->99286 99305 d48d68 58 API calls __getptd_noexit 99285->99305 99290 d49e4b __lock 58 API calls 99286->99290 99287->99273 99288 d49ef4 99303 d432df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99288->99303 99292 d49f32 99290->99292 99294 d49f57 99292->99294 99295 d49f3f 99292->99295 99307 d42f95 99294->99307 99306 d4a06b InitializeCriticalSectionAndSpinCount 99295->99306 99298 d49f4b 99313 d49f73 RtlLeaveCriticalSection _doexit 99298->99313 99301->99282 99302->99288 99304->99283 99305->99287 99306->99298 99308 d42f9e RtlFreeHeap 99307->99308 99309 d42fc7 __dosmaperr 99307->99309 99308->99309 99310 d42fb3 99308->99310 99309->99298 99314 d48d68 58 API calls __getptd_noexit 99310->99314 99312 d42fb9 GetLastError 99312->99309 99313->99287 99314->99312 99315->99260 99316->99261 99317->99265 99321 d49fb5 RtlLeaveCriticalSection 99318->99321 99320 d42ec7 99320->99251 99321->99320 99322 d21016 99327 d24ad2 99322->99327 99325 d42f80 __cinit 67 API calls 99326 d21025 99325->99326 99328 d40ff6 Mailbox 59 API calls 99327->99328 99329 d24ada 99328->99329 99330 d2101b 99329->99330 99334 d24a94 99329->99334 99330->99325 99335 d24a9d 99334->99335 99337 d24aaf 99334->99337 99336 d42f80 __cinit 67 API calls 99335->99336 99336->99337 99338 d24afe 99337->99338 99339 d277c7 59 API calls 99338->99339 99340 d24b16 GetVersionExW 99339->99340 99341 d27d2c 59 API calls 99340->99341 99342 d24b59 99341->99342 99343 d27e8c 59 API calls 99342->99343 99352 d24b86 99342->99352 99344 d24b7a 99343->99344 99366 d27886 99344->99366 99346 d24bf1 GetCurrentProcess IsWow64Process 99347 d24c0a 99346->99347 99349 d24c20 99347->99349 99350 d24c89 GetSystemInfo 99347->99350 99348 d5dc8d 99362 d24c95 99349->99362 99351 d24c56 99350->99351 99351->99330 99352->99346 99352->99348 99355 d24c32 99357 d24c95 2 API calls 99355->99357 99356 d24c7d GetSystemInfo 99358 d24c47 99356->99358 99359 d24c3a GetNativeSystemInfo 99357->99359 99358->99351 99360 d24c4d FreeLibrary 99358->99360 99359->99358 99360->99351 99363 d24c2e 99362->99363 99364 d24c9e LoadLibraryA 99362->99364 99363->99355 99363->99356 99364->99363 99365 d24caf GetProcAddress 99364->99365 99365->99363 99367 d27894 99366->99367 99368 d27e8c 59 API calls 99367->99368 99369 d278a4 99368->99369 99369->99352 99370 d47e93 99371 d47e9f __alloc_osfhnd 99370->99371 99407 d4a048 GetStartupInfoW 99371->99407 99373 d47ea4 99409 d48dbc GetProcessHeap 99373->99409 99375 d47efc 99376 d47f07 99375->99376 99492 d47fe3 58 API calls 3 library calls 99375->99492 99410 d49d26 99376->99410 99379 d47f0d 99380 d47f18 __RTC_Initialize 99379->99380 99493 d47fe3 58 API calls 3 library calls 99379->99493 99431 d4d812 99380->99431 99383 d47f27 99384 d47f33 GetCommandLineW 99383->99384 99494 d47fe3 58 API calls 3 library calls 99383->99494 99450 d55173 GetEnvironmentStringsW 99384->99450 99388 d47f32 99388->99384 99390 d47f4d 99391 d47f58 99390->99391 99495 d432f5 58 API calls 3 library calls 99390->99495 99460 d54fa8 99391->99460 99394 d47f5e 99395 d47f69 99394->99395 99496 d432f5 58 API calls 3 library calls 99394->99496 99474 d4332f 99395->99474 99398 d47f71 99399 d47f7c __wwincmdln 99398->99399 99497 d432f5 58 API calls 3 library calls 99398->99497 99480 d2492e 99399->99480 99402 d47f90 99403 d47f9f 99402->99403 99498 d43598 58 API calls _doexit 99402->99498 99499 d43320 58 API calls _doexit 99403->99499 99406 d47fa4 __alloc_osfhnd 99408 d4a05e 99407->99408 99408->99373 99409->99375 99500 d433c7 36 API calls 2 library calls 99410->99500 99412 d49d2b 99501 d49f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 99412->99501 99414 d49d34 99502 d49d9c 61 API calls 2 library calls 99414->99502 99415 d49d30 99415->99414 99503 d49fca TlsAlloc 99415->99503 99418 d49d39 99418->99379 99419 d49d46 99419->99414 99420 d49d51 99419->99420 99504 d48a15 99420->99504 99423 d49d93 99512 d49d9c 61 API calls 2 library calls 99423->99512 99426 d49d98 99426->99379 99427 d49d72 99427->99423 99428 d49d78 99427->99428 99511 d49c73 58 API calls 4 library calls 99428->99511 99430 d49d80 GetCurrentThreadId 99430->99379 99432 d4d81e __alloc_osfhnd 99431->99432 99433 d49e4b __lock 58 API calls 99432->99433 99434 d4d825 99433->99434 99435 d48a15 __calloc_crt 58 API calls 99434->99435 99436 d4d836 99435->99436 99437 d4d8a1 GetStartupInfoW 99436->99437 99438 d4d841 __alloc_osfhnd @_EH4_CallFilterFunc@8 99436->99438 99444 d4d8b6 99437->99444 99445 d4d9e5 99437->99445 99438->99383 99439 d4daad 99526 d4dabd RtlLeaveCriticalSection _doexit 99439->99526 99441 d48a15 __calloc_crt 58 API calls 99441->99444 99442 d4da32 GetStdHandle 99442->99445 99443 d4da45 GetFileType 99443->99445 99444->99441 99444->99445 99446 d4d904 99444->99446 99445->99439 99445->99442 99445->99443 99525 d4a06b InitializeCriticalSectionAndSpinCount 99445->99525 99446->99445 99447 d4d938 GetFileType 99446->99447 99524 d4a06b InitializeCriticalSectionAndSpinCount 99446->99524 99447->99446 99451 d55184 99450->99451 99452 d47f43 99450->99452 99527 d48a5d 58 API calls 2 library calls 99451->99527 99456 d54d6b GetModuleFileNameW 99452->99456 99454 d551aa _memmove 99455 d551c0 FreeEnvironmentStringsW 99454->99455 99455->99452 99457 d54d9f _wparse_cmdline 99456->99457 99459 d54ddf _wparse_cmdline 99457->99459 99528 d48a5d 58 API calls 2 library calls 99457->99528 99459->99390 99461 d54fb9 99460->99461 99463 d54fc1 __NMSG_WRITE 99460->99463 99461->99394 99462 d48a15 __calloc_crt 58 API calls 99470 d54fea __NMSG_WRITE 99462->99470 99463->99462 99464 d55041 99465 d42f95 _free 58 API calls 99464->99465 99465->99461 99466 d48a15 __calloc_crt 58 API calls 99466->99470 99467 d55066 99469 d42f95 _free 58 API calls 99467->99469 99469->99461 99470->99461 99470->99464 99470->99466 99470->99467 99471 d5507d 99470->99471 99529 d54857 58 API calls 2 library calls 99470->99529 99530 d49006 IsProcessorFeaturePresent 99471->99530 99473 d55089 99473->99394 99475 d4333b __IsNonwritableInCurrentImage 99474->99475 99553 d4a711 99475->99553 99477 d43359 __initterm_e 99478 d42f80 __cinit 67 API calls 99477->99478 99479 d43378 _doexit __IsNonwritableInCurrentImage 99477->99479 99478->99479 99479->99398 99481 d24948 99480->99481 99491 d249e7 99480->99491 99482 d24982 74E4C8D0 99481->99482 99556 d435ac 99482->99556 99486 d249ae 99568 d24a5b SystemParametersInfoW SystemParametersInfoW 99486->99568 99488 d249ba 99569 d23b4c 99488->99569 99490 d249c2 SystemParametersInfoW 99490->99491 99491->99402 99492->99376 99493->99380 99494->99388 99498->99403 99499->99406 99500->99412 99501->99415 99502->99418 99503->99419 99505 d48a1c 99504->99505 99507 d48a57 99505->99507 99509 d48a3a 99505->99509 99513 d55446 99505->99513 99507->99423 99510 d4a026 TlsSetValue 99507->99510 99509->99505 99509->99507 99521 d4a372 Sleep 99509->99521 99510->99427 99511->99430 99512->99426 99514 d55451 99513->99514 99519 d5546c 99513->99519 99515 d5545d 99514->99515 99514->99519 99522 d48d68 58 API calls __getptd_noexit 99515->99522 99517 d5547c RtlAllocateHeap 99518 d55462 99517->99518 99517->99519 99518->99505 99519->99517 99519->99518 99523 d435e1 RtlDecodePointer 99519->99523 99521->99509 99522->99518 99523->99519 99524->99446 99525->99445 99526->99438 99527->99454 99528->99459 99529->99470 99531 d49011 99530->99531 99536 d48e99 99531->99536 99535 d4902c 99535->99473 99537 d48eb3 _memset __call_reportfault 99536->99537 99538 d48ed3 IsDebuggerPresent 99537->99538 99544 d4a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99538->99544 99541 d48f97 __call_reportfault 99545 d4c836 99541->99545 99542 d48fba 99543 d4a380 GetCurrentProcess TerminateProcess 99542->99543 99543->99535 99544->99541 99546 d4c840 IsProcessorFeaturePresent 99545->99546 99547 d4c83e 99545->99547 99549 d55b5a 99546->99549 99547->99542 99552 d55b09 5 API calls 2 library calls 99549->99552 99551 d55c3d 99551->99542 99552->99551 99554 d4a714 RtlEncodePointer 99553->99554 99554->99554 99555 d4a72e 99554->99555 99555->99477 99557 d49e4b __lock 58 API calls 99556->99557 99558 d435b7 RtlDecodePointer RtlEncodePointer 99557->99558 99621 d49fb5 RtlLeaveCriticalSection 99558->99621 99560 d249a7 99561 d43614 99560->99561 99562 d4361e 99561->99562 99563 d43638 99561->99563 99562->99563 99622 d48d68 58 API calls __getptd_noexit 99562->99622 99563->99486 99565 d43628 99623 d48ff6 9 API calls __controlfp_s 99565->99623 99567 d43633 99567->99486 99568->99488 99570 d23b59 __ftell_nolock 99569->99570 99571 d277c7 59 API calls 99570->99571 99572 d23b63 GetCurrentDirectoryW 99571->99572 99624 d23778 99572->99624 99574 d23b8c IsDebuggerPresent 99575 d5d4ad MessageBoxA 99574->99575 99576 d23b9a 99574->99576 99579 d5d4c7 99575->99579 99577 d23c73 99576->99577 99576->99579 99580 d23bb7 99576->99580 99578 d23c7a SetCurrentDirectoryW 99577->99578 99581 d23c87 Mailbox 99578->99581 99823 d27373 59 API calls Mailbox 99579->99823 99705 d273e5 99580->99705 99581->99490 99585 d5d4d7 99589 d5d4ed SetCurrentDirectoryW 99585->99589 99586 d23bd5 GetFullPathNameW 99587 d27d2c 59 API calls 99586->99587 99588 d23c10 99587->99588 99721 d30a8d 99588->99721 99589->99581 99592 d23c2e 99593 d23c38 99592->99593 99824 d84c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 99592->99824 99737 d23a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 99593->99737 99596 d5d50a 99596->99593 99599 d5d51b 99596->99599 99825 d24864 99599->99825 99600 d23c42 99602 d23c55 99600->99602 99604 d243db 68 API calls 99600->99604 99745 d30b30 99602->99745 99603 d5d523 99607 d27f41 59 API calls 99603->99607 99604->99602 99608 d5d530 99607->99608 99611 d5d53a 99608->99611 99621->99560 99622->99565 99623->99567 99625 d277c7 59 API calls 99624->99625 99626 d2378e 99625->99626 99832 d23d43 99626->99832 99628 d237ac 99629 d24864 61 API calls 99628->99629 99630 d237c0 99629->99630 99631 d27f41 59 API calls 99630->99631 99632 d237cd 99631->99632 99846 d24f3d 99632->99846 99635 d5d3ae 99902 d897e5 99635->99902 99636 d237ee Mailbox 99639 d281a7 59 API calls 99636->99639 99642 d23801 99639->99642 99640 d5d3cd 99641 d42f95 _free 58 API calls 99640->99641 99644 d5d3da 99641->99644 99870 d293ea 99642->99870 99646 d24faa 84 API calls 99644->99646 99648 d5d3e3 99646->99648 99652 d23ee2 59 API calls 99648->99652 99649 d27f41 59 API calls 99650 d2381a 99649->99650 99873 d28620 99650->99873 99654 d5d3fe 99652->99654 99653 d2382c Mailbox 99655 d27f41 59 API calls 99653->99655 99656 d23ee2 59 API calls 99654->99656 99657 d23852 99655->99657 99658 d5d41a 99656->99658 99659 d28620 69 API calls 99657->99659 99660 d24864 61 API calls 99658->99660 99661 d23861 Mailbox 99659->99661 99662 d5d43f 99660->99662 99665 d277c7 59 API calls 99661->99665 99663 d23ee2 59 API calls 99662->99663 99664 d5d44b 99663->99664 99666 d281a7 59 API calls 99664->99666 99667 d2387f 99665->99667 99668 d5d459 99666->99668 99877 d23ee2 99667->99877 99670 d23ee2 59 API calls 99668->99670 99672 d5d468 99670->99672 99678 d281a7 59 API calls 99672->99678 99674 d23899 99674->99648 99675 d238a3 99674->99675 99676 d4313d _W_store_winword 60 API calls 99675->99676 99677 d238ae 99676->99677 99677->99654 99679 d238b8 99677->99679 99680 d5d48a 99678->99680 99681 d4313d _W_store_winword 60 API calls 99679->99681 99683 d23ee2 59 API calls 99680->99683 99682 d238c3 99681->99682 99682->99658 99685 d238cd 99682->99685 99684 d5d497 99683->99684 99684->99684 99686 d4313d _W_store_winword 60 API calls 99685->99686 99687 d238d8 99686->99687 99687->99672 99688 d23919 99687->99688 99690 d23ee2 59 API calls 99687->99690 99688->99672 99689 d23926 99688->99689 99692 d2942e 59 API calls 99689->99692 99691 d238fc 99690->99691 99693 d281a7 59 API calls 99691->99693 99694 d23936 99692->99694 99696 d2390a 99693->99696 99695 d291b0 59 API calls 99694->99695 99697 d23944 99695->99697 99698 d23ee2 59 API calls 99696->99698 99893 d29040 99697->99893 99698->99688 99700 d293ea 59 API calls 99702 d23961 99700->99702 99701 d29040 60 API calls 99701->99702 99702->99700 99702->99701 99703 d23ee2 59 API calls 99702->99703 99704 d239a7 Mailbox 99702->99704 99703->99702 99704->99574 99706 d273f2 __ftell_nolock 99705->99706 99707 d2740b 99706->99707 99708 d5ee4b _memset 99706->99708 100753 d248ae 99707->100753 99710 d5ee67 758ED0D0 99708->99710 99712 d5eeb6 99710->99712 99714 d27d2c 59 API calls 99712->99714 99716 d5eecb 99714->99716 99716->99716 99718 d27429 100781 d269ca 99718->100781 99722 d30a9a __ftell_nolock 99721->99722 101025 d26ee0 99722->101025 99724 d30a9f 99735 d23c26 99724->99735 101036 d312fe 89 API calls 99724->101036 99726 d30aac 99726->99735 101037 d34047 91 API calls Mailbox 99726->101037 99728 d30ab5 99729 d30ab9 GetFullPathNameW 99728->99729 99728->99735 99730 d27d2c 59 API calls 99729->99730 99731 d30ae5 99730->99731 99732 d27d2c 59 API calls 99731->99732 99733 d30af2 99732->99733 99734 d27d2c 59 API calls 99733->99734 99736 d650d5 _wcscat 99733->99736 99734->99735 99735->99585 99735->99592 99738 d23ac2 LoadImageW RegisterClassExW 99737->99738 99739 d5d49c 99737->99739 101070 d23041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 99738->101070 101074 d248fe LoadImageW EnumResourceNamesW 99739->101074 99743 d5d4a5 99744 d239e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99744->99600 99746 d650ed 99745->99746 99759 d30b55 99745->99759 101216 d8a0b5 89 API calls 4 library calls 99746->101216 99748 d30e44 99753 d30bab PeekMessageW 99791 d30b65 Mailbox 99753->99791 99759->99791 101217 d29fbd 60 API calls 99759->101217 101218 d768bf 331 API calls 99759->101218 99760 d652ab Sleep 99760->99791 99764 d6517a TranslateAcceleratorW 99765 d30fa3 PeekMessageW 99764->99765 99764->99791 99765->99791 99766 d30fbf TranslateMessage DispatchMessageW 99766->99765 99767 d40ff6 59 API calls Mailbox 99767->99791 99768 d30e73 timeGetTime 99768->99791 99769 d65c49 WaitForSingleObject 99769->99791 99772 d30fdd Sleep 99794 d30fee Mailbox 99772->99794 99773 d281a7 59 API calls 99773->99791 99774 d277c7 59 API calls 99774->99794 99775 d310f5 99776 d65f22 Sleep 99776->99794 99779 d40719 timeGetTime 99779->99794 99780 d310ae timeGetTime 101215 d29fbd 60 API calls 99780->101215 99783 d65fb9 GetExitCodeProcess 99784 d29997 84 API calls 99784->99791 99786 da61ac 110 API calls 99786->99794 99787 d2b93d 109 API calls 99787->99794 99791->99748 99791->99753 99791->99760 99791->99764 99791->99765 99791->99766 99791->99767 99791->99768 99791->99769 99791->99772 99791->99773 99791->99775 99791->99776 99791->99780 99791->99784 99792 d29fbd 60 API calls 99791->99792 99791->99794 99803 d2a000 304 API calls 99791->99803 99807 d27f41 59 API calls 99791->99807 99810 d28620 69 API calls 99791->99810 99811 d8a0b5 89 API calls 99791->99811 99812 d29df0 59 API calls Mailbox 99791->99812 99814 d28b13 69 API calls 99791->99814 99815 d659ff VariantClear 99791->99815 99816 d766f4 59 API calls Mailbox 99791->99816 99817 d65a95 VariantClear 99791->99817 99818 d65843 VariantClear 99791->99818 99819 d28e34 59 API calls Mailbox 99791->99819 99820 d77405 59 API calls 99791->99820 99821 d2b89c 304 API calls 99791->99821 101075 d2e580 99791->101075 101082 d2e800 99791->101082 101113 d2f5c0 99791->101113 101132 d2fe40 99791->101132 101212 d231ce IsDialogMessageW GetClassLongW 99791->101212 101219 da629f 59 API calls 99791->101219 101220 d89c9f 59 API calls Mailbox 99791->101220 101221 d7d9e3 59 API calls 99791->101221 101222 d76665 59 API calls 2 library calls 99791->101222 101223 d28561 59 API calls 99791->101223 101224 d2843f 59 API calls Mailbox 99791->101224 99792->99791 99793 d65c9e 99793->99775 99794->99774 99794->99775 99794->99779 99794->99783 99794->99786 99794->99787 99794->99791 99794->99793 99795 d66041 Sleep 99794->99795 99796 d654a2 Sleep 99794->99796 99798 d27f41 59 API calls 99794->99798 101225 d828f7 60 API calls 99794->101225 101226 d29fbd 60 API calls 99794->101226 101227 d28b13 69 API calls Mailbox 99794->101227 101228 d2b89c 331 API calls 99794->101228 101229 d76a50 60 API calls 99794->101229 101230 d854e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99794->101230 101231 d83e91 66 API calls Mailbox 99794->101231 99795->99791 99796->99791 99798->99794 99803->99791 99807->99791 99810->99791 99811->99791 99812->99791 99814->99791 99815->99791 99816->99791 99817->99791 99818->99791 99819->99791 99820->99791 99821->99791 99823->99585 99824->99596 99826 d51b90 __ftell_nolock 99825->99826 99827 d24871 GetModuleFileNameW 99826->99827 99828 d27f41 59 API calls 99827->99828 99829 d24897 99828->99829 99830 d248ae 60 API calls 99829->99830 99831 d248a1 Mailbox 99830->99831 99831->99603 99833 d23d50 __ftell_nolock 99832->99833 99834 d27d2c 59 API calls 99833->99834 99836 d23eb6 Mailbox 99833->99836 99837 d23d82 99834->99837 99836->99628 99845 d23db8 Mailbox 99837->99845 99943 d27b52 99837->99943 99838 d27b52 59 API calls 99838->99845 99839 d23e89 99839->99836 99840 d27f41 59 API calls 99839->99840 99841 d23eaa 99840->99841 99843 d23f84 59 API calls 99841->99843 99842 d27f41 59 API calls 99842->99845 99843->99836 99845->99836 99845->99838 99845->99839 99845->99842 99946 d23f84 99845->99946 99952 d24d13 99846->99952 99851 d5dd0f 99853 d24faa 84 API calls 99851->99853 99852 d24f68 LoadLibraryExW 99962 d24cc8 99852->99962 99855 d5dd16 99853->99855 99857 d24cc8 3 API calls 99855->99857 99859 d5dd1e 99857->99859 99988 d2506b 99859->99988 99860 d24f8f 99860->99859 99861 d24f9b 99860->99861 99863 d24faa 84 API calls 99861->99863 99864 d237e6 99863->99864 99864->99635 99864->99636 99867 d5dd45 99996 d25027 99867->99996 99869 d5dd52 99871 d40ff6 Mailbox 59 API calls 99870->99871 99872 d2380d 99871->99872 99872->99649 99874 d2862b 99873->99874 99875 d28652 99874->99875 100425 d28b13 69 API calls Mailbox 99874->100425 99875->99653 99878 d23f05 99877->99878 99879 d23eec 99877->99879 99881 d27d2c 59 API calls 99878->99881 99880 d281a7 59 API calls 99879->99880 99882 d2388b 99880->99882 99881->99882 99883 d4313d 99882->99883 99884 d431be 99883->99884 99885 d43149 99883->99885 100428 d431d0 60 API calls 4 library calls 99884->100428 99892 d4316e 99885->99892 100426 d48d68 58 API calls __getptd_noexit 99885->100426 99888 d431cb 99888->99674 99889 d43155 100427 d48ff6 9 API calls __controlfp_s 99889->100427 99891 d43160 99891->99674 99892->99674 99894 d5f5a5 99893->99894 99899 d29057 99893->99899 99894->99899 100430 d28d3b 59 API calls Mailbox 99894->100430 99896 d291a0 100429 d29e9c 60 API calls Mailbox 99896->100429 99897 d29158 99900 d40ff6 Mailbox 59 API calls 99897->99900 99899->99896 99899->99897 99901 d2915f 99899->99901 99900->99901 99901->99702 99903 d25045 85 API calls 99902->99903 99904 d89854 99903->99904 100431 d899be 99904->100431 99907 d2506b 74 API calls 99908 d89881 99907->99908 99909 d2506b 74 API calls 99908->99909 99910 d89891 99909->99910 99911 d2506b 74 API calls 99910->99911 99912 d898ac 99911->99912 99913 d2506b 74 API calls 99912->99913 99914 d898c7 99913->99914 99915 d25045 85 API calls 99914->99915 99916 d898de 99915->99916 99917 d4594c std::exception::_Copy_str 58 API calls 99916->99917 99918 d898e5 99917->99918 99919 d4594c std::exception::_Copy_str 58 API calls 99918->99919 99920 d898ef 99919->99920 99921 d2506b 74 API calls 99920->99921 99922 d89903 99921->99922 99923 d89393 GetSystemTimeAsFileTime 99922->99923 99924 d89916 99923->99924 99925 d8992b 99924->99925 99926 d89940 99924->99926 99929 d42f95 _free 58 API calls 99925->99929 99927 d899a5 99926->99927 99928 d89946 99926->99928 99931 d42f95 _free 58 API calls 99927->99931 100437 d88d90 99928->100437 99932 d89931 99929->99932 99934 d5d3c1 99931->99934 99935 d42f95 _free 58 API calls 99932->99935 99934->99640 99937 d24faa 99934->99937 99935->99934 99936 d42f95 _free 58 API calls 99936->99934 99938 d24fb4 99937->99938 99939 d24fbb 99937->99939 99940 d455d6 __fcloseall 83 API calls 99938->99940 99941 d24fca 99939->99941 99942 d24fdb FreeLibrary 99939->99942 99940->99939 99941->99640 99942->99941 99944 d27faf 59 API calls 99943->99944 99945 d27b5d 99944->99945 99945->99837 99947 d23f92 99946->99947 99951 d23fb4 _memmove 99946->99951 99949 d40ff6 Mailbox 59 API calls 99947->99949 99948 d40ff6 Mailbox 59 API calls 99950 d23fc8 99948->99950 99949->99951 99950->99845 99951->99948 100001 d24d61 99952->100001 99955 d24d61 2 API calls 99958 d24d3a 99955->99958 99956 d24d53 99959 d4548b 99956->99959 99957 d24d4a FreeLibrary 99957->99956 99958->99956 99958->99957 100005 d454a0 99959->100005 99961 d24f5c 99961->99851 99961->99852 100162 d24d94 99962->100162 99965 d24ced 99967 d24d08 99965->99967 99968 d24cff FreeLibrary 99965->99968 99966 d24d94 2 API calls 99966->99965 99969 d24dd0 99967->99969 99968->99967 99970 d40ff6 Mailbox 59 API calls 99969->99970 99971 d24de5 99970->99971 100166 d2538e 99971->100166 99973 d24df1 _memmove 99974 d24e2c 99973->99974 99976 d24f21 99973->99976 99977 d24ee9 99973->99977 99975 d25027 69 API calls 99974->99975 99983 d24e35 99975->99983 100180 d89ba5 95 API calls 99976->100180 100169 d24fe9 CreateStreamOnHGlobal 99977->100169 99980 d2506b 74 API calls 99980->99983 99982 d24ec9 99982->99860 99983->99980 99983->99982 99984 d5dcd0 99983->99984 100175 d25045 99983->100175 99985 d25045 85 API calls 99984->99985 99986 d5dce4 99985->99986 99987 d2506b 74 API calls 99986->99987 99987->99982 99989 d2507d 99988->99989 99992 d5ddf6 99988->99992 100204 d45812 99989->100204 99993 d89393 100402 d891e9 99993->100402 99995 d893a9 99995->99867 99997 d25036 99996->99997 99998 d5ddb9 99996->99998 100407 d45e90 99997->100407 100000 d2503e 100000->99869 100002 d24d2e 100001->100002 100003 d24d6a LoadLibraryA 100001->100003 100002->99955 100002->99958 100003->100002 100004 d24d7b GetProcAddress 100003->100004 100004->100002 100007 d454ac __alloc_osfhnd 100005->100007 100006 d454bf 100054 d48d68 58 API calls __getptd_noexit 100006->100054 100007->100006 100009 d454f0 100007->100009 100024 d50738 100009->100024 100010 d454c4 100055 d48ff6 9 API calls __controlfp_s 100010->100055 100013 d454f5 100014 d454fe 100013->100014 100015 d4550b 100013->100015 100056 d48d68 58 API calls __getptd_noexit 100014->100056 100017 d45535 100015->100017 100018 d45515 100015->100018 100039 d50857 100017->100039 100057 d48d68 58 API calls __getptd_noexit 100018->100057 100019 d454cf __alloc_osfhnd @_EH4_CallFilterFunc@8 100019->99961 100025 d50744 __alloc_osfhnd 100024->100025 100026 d49e4b __lock 58 API calls 100025->100026 100033 d50752 100026->100033 100027 d507c6 100059 d5084e 100027->100059 100028 d507cd 100064 d48a5d 58 API calls 2 library calls 100028->100064 100031 d507d4 100031->100027 100065 d4a06b InitializeCriticalSectionAndSpinCount 100031->100065 100032 d50843 __alloc_osfhnd 100032->100013 100033->100027 100033->100028 100035 d49ed3 __mtinitlocknum 58 API calls 100033->100035 100062 d46e8d 59 API calls __lock 100033->100062 100063 d46ef7 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 100033->100063 100035->100033 100037 d507fa RtlEnterCriticalSection 100037->100027 100040 d50877 __wopenfile 100039->100040 100041 d50891 100040->100041 100053 d50a4c 100040->100053 100072 d43a0b 60 API calls 3 library calls 100040->100072 100070 d48d68 58 API calls __getptd_noexit 100041->100070 100043 d50896 100071 d48ff6 9 API calls __controlfp_s 100043->100071 100045 d50aaf 100067 d587f1 100045->100067 100046 d45540 100058 d45562 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100046->100058 100049 d50a45 100049->100053 100073 d43a0b 60 API calls 3 library calls 100049->100073 100051 d50a64 100051->100053 100074 d43a0b 60 API calls 3 library calls 100051->100074 100053->100041 100053->100045 100054->100010 100055->100019 100056->100019 100057->100019 100058->100019 100066 d49fb5 RtlLeaveCriticalSection 100059->100066 100061 d50855 100061->100032 100062->100033 100063->100033 100064->100031 100065->100037 100066->100061 100075 d57fd5 100067->100075 100069 d5880a 100069->100046 100070->100043 100071->100046 100072->100049 100073->100051 100074->100053 100076 d57fe1 __alloc_osfhnd 100075->100076 100077 d57ff7 100076->100077 100080 d5802d 100076->100080 100159 d48d68 58 API calls __getptd_noexit 100077->100159 100079 d57ffc 100160 d48ff6 9 API calls __controlfp_s 100079->100160 100086 d5809e 100080->100086 100083 d58049 100161 d58072 RtlLeaveCriticalSection __unlock_fhandle 100083->100161 100085 d58006 __alloc_osfhnd 100085->100069 100087 d580be 100086->100087 100088 d4471a __wsopen_nolock 58 API calls 100087->100088 100091 d580da 100088->100091 100089 d49006 __invoke_watson 8 API calls 100090 d587f0 100089->100090 100092 d57fd5 __wsopen_helper 103 API calls 100090->100092 100093 d58114 100091->100093 100099 d58137 100091->100099 100109 d58211 100091->100109 100094 d5880a 100092->100094 100095 d48d34 __close 58 API calls 100093->100095 100094->100083 100096 d58119 100095->100096 100097 d48d68 __tolower_l 58 API calls 100096->100097 100098 d58126 100097->100098 100100 d48ff6 __controlfp_s 9 API calls 100098->100100 100101 d581f5 100099->100101 100108 d581d3 100099->100108 100102 d58130 100100->100102 100103 d48d34 __close 58 API calls 100101->100103 100102->100083 100104 d581fa 100103->100104 100105 d48d68 __tolower_l 58 API calls 100104->100105 100106 d58207 100105->100106 100107 d48ff6 __controlfp_s 9 API calls 100106->100107 100107->100109 100110 d4d4d4 __alloc_osfhnd 61 API calls 100108->100110 100109->100089 100111 d582a1 100110->100111 100112 d582ce 100111->100112 100113 d582ab 100111->100113 100114 d57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100112->100114 100115 d48d34 __close 58 API calls 100113->100115 100125 d582f0 100114->100125 100116 d582b0 100115->100116 100118 d48d68 __tolower_l 58 API calls 100116->100118 100117 d5836e GetFileType 100119 d58379 GetLastError 100117->100119 100120 d583bb 100117->100120 100122 d582ba 100118->100122 100124 d48d47 __dosmaperr 58 API calls 100119->100124 100132 d4d76a __set_osfhnd 59 API calls 100120->100132 100121 d5833c GetLastError 100126 d48d47 __dosmaperr 58 API calls 100121->100126 100123 d48d68 __tolower_l 58 API calls 100122->100123 100123->100102 100127 d583a0 CloseHandle 100124->100127 100125->100117 100125->100121 100128 d57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100125->100128 100129 d58361 100126->100129 100127->100129 100130 d583ae 100127->100130 100131 d58331 100128->100131 100134 d48d68 __tolower_l 58 API calls 100129->100134 100133 d48d68 __tolower_l 58 API calls 100130->100133 100131->100117 100131->100121 100137 d583d9 100132->100137 100135 d583b3 100133->100135 100134->100109 100135->100129 100136 d58594 100136->100109 100139 d58767 CloseHandle 100136->100139 100137->100136 100138 d51b11 __lseeki64_nolock 60 API calls 100137->100138 100154 d5845a 100137->100154 100140 d58443 100138->100140 100141 d57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100139->100141 100143 d48d34 __close 58 API calls 100140->100143 100140->100154 100142 d5878e 100141->100142 100144 d58796 GetLastError 100142->100144 100145 d587c2 100142->100145 100143->100154 100146 d48d47 __dosmaperr 58 API calls 100144->100146 100145->100109 100148 d587a2 100146->100148 100147 d51b11 60 API calls __lseeki64_nolock 100147->100154 100152 d4d67d __free_osfhnd 59 API calls 100148->100152 100149 d50d2d __close_nolock 61 API calls 100149->100154 100150 d510ab 70 API calls __read_nolock 100150->100154 100151 d599f2 __chsize_nolock 82 API calls 100151->100154 100152->100145 100153 d4dac6 __write 78 API calls 100153->100154 100154->100136 100154->100147 100154->100149 100154->100150 100154->100151 100154->100153 100155 d58611 100154->100155 100156 d50d2d __close_nolock 61 API calls 100155->100156 100157 d58618 100156->100157 100158 d48d68 __tolower_l 58 API calls 100157->100158 100158->100109 100159->100079 100160->100085 100161->100085 100163 d24ce1 100162->100163 100164 d24d9d LoadLibraryA 100162->100164 100163->99965 100163->99966 100164->100163 100165 d24dae GetProcAddress 100164->100165 100165->100163 100167 d40ff6 Mailbox 59 API calls 100166->100167 100168 d253a0 100167->100168 100168->99973 100170 d25003 FindResourceExW 100169->100170 100174 d25020 100169->100174 100171 d5dd5c LoadResource 100170->100171 100170->100174 100172 d5dd71 SizeofResource 100171->100172 100171->100174 100173 d5dd85 LockResource 100172->100173 100172->100174 100173->100174 100174->99974 100176 d25054 100175->100176 100178 d5ddd4 100175->100178 100181 d45a7d 100176->100181 100179 d25062 100179->99983 100180->99974 100182 d45a89 __alloc_osfhnd 100181->100182 100183 d45a9b 100182->100183 100185 d45ac1 100182->100185 100194 d48d68 58 API calls __getptd_noexit 100183->100194 100196 d46e4e 100185->100196 100186 d45aa0 100195 d48ff6 9 API calls __controlfp_s 100186->100195 100188 d45ac7 100202 d459ee 83 API calls 4 library calls 100188->100202 100191 d45ad6 100203 d45af8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100191->100203 100193 d45aab __alloc_osfhnd 100193->100179 100194->100186 100195->100193 100197 d46e80 RtlEnterCriticalSection 100196->100197 100198 d46e5e 100196->100198 100200 d46e76 100197->100200 100198->100197 100199 d46e66 100198->100199 100201 d49e4b __lock 58 API calls 100199->100201 100200->100188 100201->100200 100202->100191 100203->100193 100207 d4582d 100204->100207 100206 d2508e 100206->99993 100208 d45839 __alloc_osfhnd 100207->100208 100209 d4587c 100208->100209 100210 d45874 __alloc_osfhnd 100208->100210 100214 d4584f _memset 100208->100214 100211 d46e4e __lock_file 59 API calls 100209->100211 100210->100206 100213 d45882 100211->100213 100220 d4564d 100213->100220 100234 d48d68 58 API calls __getptd_noexit 100214->100234 100215 d45869 100235 d48ff6 9 API calls __controlfp_s 100215->100235 100224 d45668 _memset 100220->100224 100227 d45683 100220->100227 100221 d45673 100332 d48d68 58 API calls __getptd_noexit 100221->100332 100223 d45678 100333 d48ff6 9 API calls __controlfp_s 100223->100333 100224->100221 100224->100227 100229 d456c3 100224->100229 100236 d458b6 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100227->100236 100228 d457d4 _memset 100335 d48d68 58 API calls __getptd_noexit 100228->100335 100229->100227 100229->100228 100237 d44916 100229->100237 100244 d510ab 100229->100244 100312 d50df7 100229->100312 100334 d50f18 58 API calls 4 library calls 100229->100334 100234->100215 100235->100210 100236->100210 100238 d44935 100237->100238 100239 d44920 100237->100239 100238->100229 100336 d48d68 58 API calls __getptd_noexit 100239->100336 100241 d44925 100337 d48ff6 9 API calls __controlfp_s 100241->100337 100243 d44930 100243->100229 100245 d510e3 100244->100245 100246 d510cc 100244->100246 100248 d5181b 100245->100248 100253 d5111d 100245->100253 100347 d48d34 58 API calls __getptd_noexit 100246->100347 100363 d48d34 58 API calls __getptd_noexit 100248->100363 100250 d510d1 100348 d48d68 58 API calls __getptd_noexit 100250->100348 100251 d51820 100364 d48d68 58 API calls __getptd_noexit 100251->100364 100254 d51125 100253->100254 100261 d5113c 100253->100261 100349 d48d34 58 API calls __getptd_noexit 100254->100349 100257 d51131 100365 d48ff6 9 API calls __controlfp_s 100257->100365 100258 d5112a 100350 d48d68 58 API calls __getptd_noexit 100258->100350 100260 d51151 100351 d48d34 58 API calls __getptd_noexit 100260->100351 100261->100260 100264 d5116b 100261->100264 100265 d51189 100261->100265 100292 d510d8 100261->100292 100264->100260 100267 d51176 100264->100267 100352 d48a5d 58 API calls 2 library calls 100265->100352 100338 d55ebb 100267->100338 100268 d51199 100270 d511a1 100268->100270 100271 d511bc 100268->100271 100353 d48d68 58 API calls __getptd_noexit 100270->100353 100355 d51b11 60 API calls 3 library calls 100271->100355 100272 d5128a 100274 d51303 ReadFile 100272->100274 100279 d512a0 GetConsoleMode 100272->100279 100277 d51325 100274->100277 100278 d517e3 GetLastError 100274->100278 100276 d511a6 100354 d48d34 58 API calls __getptd_noexit 100276->100354 100277->100278 100285 d512f5 100277->100285 100281 d512e3 100278->100281 100282 d517f0 100278->100282 100283 d512b4 100279->100283 100284 d51300 100279->100284 100294 d512e9 100281->100294 100356 d48d47 58 API calls 3 library calls 100281->100356 100361 d48d68 58 API calls __getptd_noexit 100282->100361 100283->100284 100287 d512ba ReadConsoleW 100283->100287 100284->100274 100285->100294 100295 d5135a 100285->100295 100296 d515c7 100285->100296 100287->100285 100288 d512dd GetLastError 100287->100288 100288->100281 100290 d517f5 100362 d48d34 58 API calls __getptd_noexit 100290->100362 100292->100229 100293 d42f95 _free 58 API calls 100293->100292 100294->100292 100294->100293 100298 d513c6 ReadFile 100295->100298 100304 d51447 100295->100304 100296->100294 100299 d516cd ReadFile 100296->100299 100300 d513e7 GetLastError 100298->100300 100308 d513f1 100298->100308 100303 d516f0 GetLastError 100299->100303 100311 d516fe 100299->100311 100300->100308 100301 d51504 100306 d514b4 MultiByteToWideChar 100301->100306 100359 d51b11 60 API calls 3 library calls 100301->100359 100302 d514f4 100358 d48d68 58 API calls __getptd_noexit 100302->100358 100303->100311 100304->100294 100304->100301 100304->100302 100304->100306 100306->100288 100306->100294 100308->100295 100357 d51b11 60 API calls 3 library calls 100308->100357 100311->100296 100360 d51b11 60 API calls 3 library calls 100311->100360 100313 d50e02 100312->100313 100317 d50e17 100312->100317 100399 d48d68 58 API calls __getptd_noexit 100313->100399 100315 d50e07 100400 d48ff6 9 API calls __controlfp_s 100315->100400 100318 d50e4c 100317->100318 100323 d50e12 100317->100323 100401 d56234 58 API calls __malloc_crt 100317->100401 100320 d44916 __ftell_nolock 58 API calls 100318->100320 100321 d50e60 100320->100321 100366 d50f97 100321->100366 100323->100229 100324 d50e67 100324->100323 100325 d44916 __ftell_nolock 58 API calls 100324->100325 100326 d50e8a 100325->100326 100326->100323 100327 d44916 __ftell_nolock 58 API calls 100326->100327 100328 d50e96 100327->100328 100328->100323 100329 d44916 __ftell_nolock 58 API calls 100328->100329 100330 d50ea3 100329->100330 100331 d44916 __ftell_nolock 58 API calls 100330->100331 100331->100323 100332->100223 100333->100227 100334->100229 100335->100223 100336->100241 100337->100243 100339 d55ec6 100338->100339 100340 d55ed3 100338->100340 100341 d48d68 __tolower_l 58 API calls 100339->100341 100342 d55edf 100340->100342 100343 d48d68 __tolower_l 58 API calls 100340->100343 100344 d55ecb 100341->100344 100342->100272 100345 d55f00 100343->100345 100344->100272 100346 d48ff6 __controlfp_s 9 API calls 100345->100346 100346->100344 100347->100250 100348->100292 100349->100258 100350->100257 100351->100258 100352->100268 100353->100276 100354->100292 100355->100267 100356->100294 100357->100308 100358->100294 100359->100306 100360->100311 100361->100290 100362->100294 100363->100251 100364->100257 100365->100292 100367 d50fa3 __alloc_osfhnd 100366->100367 100368 d50fc7 100367->100368 100369 d50fb0 100367->100369 100371 d5108b 100368->100371 100373 d50fdb 100368->100373 100370 d48d34 __close 58 API calls 100369->100370 100372 d50fb5 100370->100372 100374 d48d34 __close 58 API calls 100371->100374 100376 d48d68 __tolower_l 58 API calls 100372->100376 100377 d51006 100373->100377 100378 d50ff9 100373->100378 100375 d50ffe 100374->100375 100384 d48d68 __tolower_l 58 API calls 100375->100384 100379 d50fbc __alloc_osfhnd 100376->100379 100381 d51013 100377->100381 100382 d51028 100377->100382 100380 d48d34 __close 58 API calls 100378->100380 100379->100324 100380->100375 100385 d48d34 __close 58 API calls 100381->100385 100383 d4d446 ___lock_fhandle 59 API calls 100382->100383 100386 d5102e 100383->100386 100387 d51020 100384->100387 100388 d51018 100385->100388 100389 d51054 100386->100389 100390 d51041 100386->100390 100393 d48ff6 __controlfp_s 9 API calls 100387->100393 100391 d48d68 __tolower_l 58 API calls 100388->100391 100394 d48d68 __tolower_l 58 API calls 100389->100394 100392 d510ab __read_nolock 70 API calls 100390->100392 100391->100387 100396 d5104d 100392->100396 100393->100379 100395 d51059 100394->100395 100397 d48d34 __close 58 API calls 100395->100397 100398 d51083 __read RtlLeaveCriticalSection 100396->100398 100397->100396 100398->100379 100399->100315 100400->100323 100401->100318 100405 d4543a GetSystemTimeAsFileTime 100402->100405 100404 d891f8 100404->99995 100406 d45468 __aulldiv 100405->100406 100406->100404 100408 d45e9c __alloc_osfhnd 100407->100408 100409 d45ec3 100408->100409 100410 d45eae 100408->100410 100412 d46e4e __lock_file 59 API calls 100409->100412 100421 d48d68 58 API calls __getptd_noexit 100410->100421 100414 d45ec9 100412->100414 100413 d45eb3 100422 d48ff6 9 API calls __controlfp_s 100413->100422 100423 d45b00 67 API calls 5 library calls 100414->100423 100417 d45ed4 100424 d45ef4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100417->100424 100419 d45ee6 100420 d45ebe __alloc_osfhnd 100419->100420 100420->100000 100421->100413 100422->100420 100423->100417 100424->100419 100425->99875 100426->99889 100427->99891 100428->99888 100429->99901 100430->99899 100432 d899d2 __tzset_nolock _wcscmp 100431->100432 100433 d2506b 74 API calls 100432->100433 100434 d89866 100432->100434 100435 d89393 GetSystemTimeAsFileTime 100432->100435 100436 d25045 85 API calls 100432->100436 100433->100432 100434->99907 100434->99934 100435->100432 100436->100432 100438 d88da9 100437->100438 100439 d88d9b 100437->100439 100441 d88dee 100438->100441 100442 d4548b 115 API calls 100438->100442 100464 d88db2 100438->100464 100440 d4548b 115 API calls 100439->100440 100440->100438 100468 d8901b 100441->100468 100444 d88dd3 100442->100444 100444->100441 100446 d88ddc 100444->100446 100445 d88e32 100447 d88e36 100445->100447 100448 d88e57 100445->100448 100449 d455d6 __fcloseall 83 API calls 100446->100449 100446->100464 100451 d88e43 100447->100451 100453 d455d6 __fcloseall 83 API calls 100447->100453 100472 d88c33 100448->100472 100449->100464 100456 d455d6 __fcloseall 83 API calls 100451->100456 100451->100464 100453->100451 100454 d88e85 100481 d88eb5 100454->100481 100455 d88e65 100457 d88e72 100455->100457 100459 d455d6 __fcloseall 83 API calls 100455->100459 100456->100464 100461 d455d6 __fcloseall 83 API calls 100457->100461 100457->100464 100459->100457 100461->100464 100464->99936 100465 d88ea0 100465->100464 100467 d455d6 __fcloseall 83 API calls 100465->100467 100467->100464 100469 d89040 100468->100469 100471 d89029 __tzset_nolock _memmove 100468->100471 100470 d45812 __fread_nolock 74 API calls 100469->100470 100470->100471 100471->100445 100473 d4594c std::exception::_Copy_str 58 API calls 100472->100473 100474 d88c42 100473->100474 100475 d4594c std::exception::_Copy_str 58 API calls 100474->100475 100476 d88c56 100475->100476 100477 d4594c std::exception::_Copy_str 58 API calls 100476->100477 100478 d88c6a 100477->100478 100479 d88f97 58 API calls 100478->100479 100480 d88c7d 100478->100480 100479->100480 100480->100454 100480->100455 100486 d88eca 100481->100486 100482 d88f82 100515 d891bf 80 API calls 100482->100515 100484 d88c8f 74 API calls 100484->100486 100485 d88e8c 100489 d88f97 100485->100489 100486->100482 100486->100484 100486->100485 100510 d8909c 100486->100510 100514 d88d2b 74 API calls 100486->100514 100490 d88faa 100489->100490 100491 d88fa4 100489->100491 100493 d88fbb 100490->100493 100495 d42f95 _free 58 API calls 100490->100495 100492 d42f95 _free 58 API calls 100491->100492 100492->100490 100494 d88e93 100493->100494 100496 d42f95 _free 58 API calls 100493->100496 100494->100465 100497 d455d6 100494->100497 100495->100493 100496->100494 100498 d455e2 __alloc_osfhnd 100497->100498 100499 d455f6 100498->100499 100500 d4560e 100498->100500 100564 d48d68 58 API calls __getptd_noexit 100499->100564 100502 d46e4e __lock_file 59 API calls 100500->100502 100506 d45606 __alloc_osfhnd 100500->100506 100504 d45620 100502->100504 100503 d455fb 100565 d48ff6 9 API calls __controlfp_s 100503->100565 100548 d4556a 100504->100548 100506->100465 100511 d890ab 100510->100511 100512 d890eb 100510->100512 100511->100486 100512->100511 100516 d89172 100512->100516 100514->100486 100515->100485 100517 d8919e 100516->100517 100519 d891af 100516->100519 100520 d44a93 100517->100520 100519->100512 100521 d44a9f __alloc_osfhnd 100520->100521 100522 d44ad5 100521->100522 100523 d44abd 100521->100523 100525 d44acd __alloc_osfhnd 100521->100525 100526 d46e4e __lock_file 59 API calls 100522->100526 100545 d48d68 58 API calls __getptd_noexit 100523->100545 100525->100519 100528 d44adb 100526->100528 100527 d44ac2 100546 d48ff6 9 API calls __controlfp_s 100527->100546 100533 d4493a 100528->100533 100536 d44949 100533->100536 100539 d44967 100533->100539 100534 d44957 100535 d48d68 __tolower_l 58 API calls 100534->100535 100537 d4495c 100535->100537 100536->100534 100536->100539 100543 d44981 _memmove 100536->100543 100538 d48ff6 __controlfp_s 9 API calls 100537->100538 100538->100539 100547 d44b0d RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100539->100547 100540 d4b05e __flsbuf 78 API calls 100540->100543 100541 d44c6d __flush 78 API calls 100541->100543 100542 d44916 __ftell_nolock 58 API calls 100542->100543 100543->100539 100543->100540 100543->100541 100543->100542 100544 d4dac6 __write 78 API calls 100543->100544 100544->100543 100545->100527 100546->100525 100547->100525 100549 d4558d 100548->100549 100550 d45579 100548->100550 100556 d45589 100549->100556 100567 d44c6d 100549->100567 100603 d48d68 58 API calls __getptd_noexit 100550->100603 100553 d4557e 100604 d48ff6 9 API calls __controlfp_s 100553->100604 100566 d45645 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100556->100566 100559 d44916 __ftell_nolock 58 API calls 100560 d455a7 100559->100560 100577 d50c52 100560->100577 100562 d455ad 100562->100556 100563 d42f95 _free 58 API calls 100562->100563 100563->100556 100564->100503 100565->100506 100566->100506 100568 d44c80 100567->100568 100572 d44ca4 100567->100572 100569 d44916 __ftell_nolock 58 API calls 100568->100569 100568->100572 100570 d44c9d 100569->100570 100605 d4dac6 100570->100605 100573 d50dc7 100572->100573 100574 d50dd4 100573->100574 100576 d455a1 100573->100576 100575 d42f95 _free 58 API calls 100574->100575 100574->100576 100575->100576 100576->100559 100578 d50c5e __alloc_osfhnd 100577->100578 100579 d50c82 100578->100579 100580 d50c6b 100578->100580 100582 d50d0d 100579->100582 100584 d50c92 100579->100584 100730 d48d34 58 API calls __getptd_noexit 100580->100730 100735 d48d34 58 API calls __getptd_noexit 100582->100735 100583 d50c70 100731 d48d68 58 API calls __getptd_noexit 100583->100731 100587 d50cb0 100584->100587 100588 d50cba 100584->100588 100732 d48d34 58 API calls __getptd_noexit 100587->100732 100592 d4d446 ___lock_fhandle 59 API calls 100588->100592 100589 d50cb5 100736 d48d68 58 API calls __getptd_noexit 100589->100736 100590 d50c77 __alloc_osfhnd 100590->100562 100594 d50cc0 100592->100594 100596 d50cd3 100594->100596 100597 d50cde 100594->100597 100595 d50d19 100737 d48ff6 9 API calls __controlfp_s 100595->100737 100715 d50d2d 100596->100715 100733 d48d68 58 API calls __getptd_noexit 100597->100733 100601 d50cd9 100734 d50d05 RtlLeaveCriticalSection __unlock_fhandle 100601->100734 100603->100553 100604->100556 100606 d4dad2 __alloc_osfhnd 100605->100606 100607 d4daf6 100606->100607 100608 d4dadf 100606->100608 100610 d4db95 100607->100610 100612 d4db0a 100607->100612 100706 d48d34 58 API calls __getptd_noexit 100608->100706 100712 d48d34 58 API calls __getptd_noexit 100610->100712 100611 d4dae4 100707 d48d68 58 API calls __getptd_noexit 100611->100707 100615 d4db32 100612->100615 100616 d4db28 100612->100616 100633 d4d446 100615->100633 100708 d48d34 58 API calls __getptd_noexit 100616->100708 100619 d4db2d 100713 d48d68 58 API calls __getptd_noexit 100619->100713 100620 d4db38 100622 d4db5e 100620->100622 100623 d4db4b 100620->100623 100709 d48d68 58 API calls __getptd_noexit 100622->100709 100642 d4dbb5 100623->100642 100624 d4dba1 100714 d48ff6 9 API calls __controlfp_s 100624->100714 100628 d4db57 100711 d4db8d RtlLeaveCriticalSection __unlock_fhandle 100628->100711 100629 d4db63 100710 d48d34 58 API calls __getptd_noexit 100629->100710 100630 d4daeb __alloc_osfhnd 100630->100572 100634 d4d452 __alloc_osfhnd 100633->100634 100635 d4d4a1 RtlEnterCriticalSection 100634->100635 100637 d49e4b __lock 58 API calls 100634->100637 100636 d4d4c7 __alloc_osfhnd 100635->100636 100636->100620 100638 d4d477 100637->100638 100639 d4d48f 100638->100639 100641 d4a06b __alloc_osfhnd InitializeCriticalSectionAndSpinCount 100638->100641 100640 d4d4cb ___lock_fhandle RtlLeaveCriticalSection 100639->100640 100640->100635 100641->100639 100643 d4dbc2 __ftell_nolock 100642->100643 100644 d4dc20 100643->100644 100645 d4dc01 100643->100645 100674 d4dbf6 100643->100674 100648 d4dc78 100644->100648 100649 d4dc5c 100644->100649 100647 d48d34 __close 58 API calls 100645->100647 100646 d4c836 __ftell_nolock 6 API calls 100650 d4e416 100646->100650 100651 d4dc06 100647->100651 100653 d4dc91 100648->100653 100656 d51b11 __lseeki64_nolock 60 API calls 100648->100656 100652 d48d34 __close 58 API calls 100649->100652 100650->100628 100654 d48d68 __tolower_l 58 API calls 100651->100654 100655 d4dc61 100652->100655 100658 d55ebb __read_nolock 58 API calls 100653->100658 100657 d4dc0d 100654->100657 100659 d48d68 __tolower_l 58 API calls 100655->100659 100656->100653 100660 d48ff6 __controlfp_s 9 API calls 100657->100660 100661 d4dc9f 100658->100661 100663 d4dc68 100659->100663 100660->100674 100662 d4dff8 100661->100662 100667 d49bec __beginthreadex 58 API calls 100661->100667 100664 d4e016 100662->100664 100665 d4e38b WriteFile 100662->100665 100666 d48ff6 __controlfp_s 9 API calls 100663->100666 100668 d4e13a 100664->100668 100677 d4e02c 100664->100677 100669 d4dfeb GetLastError 100665->100669 100675 d4dfb8 100665->100675 100666->100674 100670 d4dccb GetConsoleMode 100667->100670 100672 d4e145 100668->100672 100681 d4e22f 100668->100681 100669->100675 100670->100662 100673 d4dd0a 100670->100673 100671 d4e3c4 100671->100674 100679 d48d68 __tolower_l 58 API calls 100671->100679 100672->100671 100687 d4e1aa WriteFile 100672->100687 100673->100662 100676 d4dd1a GetConsoleCP 100673->100676 100674->100646 100675->100671 100675->100674 100680 d4e118 100675->100680 100676->100671 100703 d4dd49 100676->100703 100677->100671 100678 d4e09b WriteFile 100677->100678 100678->100669 100682 d4e0d8 100678->100682 100683 d4e3f2 100679->100683 100684 d4e123 100680->100684 100685 d4e3bb 100680->100685 100681->100671 100686 d4e2a4 WideCharToMultiByte 100681->100686 100682->100677 100694 d4e0fc 100682->100694 100688 d48d34 __close 58 API calls 100683->100688 100689 d48d68 __tolower_l 58 API calls 100684->100689 100690 d48d47 __dosmaperr 58 API calls 100685->100690 100686->100669 100698 d4e2eb 100686->100698 100687->100669 100691 d4e1f9 100687->100691 100688->100674 100692 d4e128 100689->100692 100690->100674 100691->100672 100691->100675 100691->100694 100695 d48d34 __close 58 API calls 100692->100695 100693 d4e2f3 WriteFile 100697 d4e346 GetLastError 100693->100697 100693->100698 100694->100675 100695->100674 100696 d43835 __write_nolock 58 API calls 100696->100703 100697->100698 100698->100675 100698->100681 100698->100693 100698->100694 100699 d5650a 60 API calls __write_nolock 100699->100703 100700 d57cae WriteConsoleW CreateFileW __putwch_nolock 100704 d4de9f 100700->100704 100701 d4de32 WideCharToMultiByte 100701->100675 100702 d4de6d WriteFile 100701->100702 100702->100669 100702->100704 100703->100675 100703->100696 100703->100699 100703->100701 100703->100704 100704->100669 100704->100675 100704->100700 100704->100703 100705 d4dec7 WriteFile 100704->100705 100705->100669 100705->100704 100706->100611 100707->100630 100708->100619 100709->100629 100710->100628 100711->100630 100712->100619 100713->100624 100714->100630 100738 d4d703 100715->100738 100717 d50d91 100751 d4d67d 59 API calls 2 library calls 100717->100751 100718 d50d3b 100718->100717 100720 d4d703 __chsize_nolock 58 API calls 100718->100720 100729 d50d6f 100718->100729 100723 d50d66 100720->100723 100721 d4d703 __chsize_nolock 58 API calls 100724 d50d7b CloseHandle 100721->100724 100722 d50d99 100726 d50dbb 100722->100726 100752 d48d47 58 API calls 3 library calls 100722->100752 100727 d4d703 __chsize_nolock 58 API calls 100723->100727 100724->100717 100728 d50d87 GetLastError 100724->100728 100726->100601 100727->100729 100728->100717 100729->100717 100729->100721 100730->100583 100731->100590 100732->100589 100733->100601 100734->100590 100735->100589 100736->100595 100737->100590 100739 d4d723 100738->100739 100740 d4d70e 100738->100740 100743 d48d34 __close 58 API calls 100739->100743 100745 d4d748 100739->100745 100741 d48d34 __close 58 API calls 100740->100741 100742 d4d713 100741->100742 100744 d48d68 __tolower_l 58 API calls 100742->100744 100746 d4d752 100743->100746 100747 d4d71b 100744->100747 100745->100718 100748 d48d68 __tolower_l 58 API calls 100746->100748 100747->100718 100749 d4d75a 100748->100749 100750 d48ff6 __controlfp_s 9 API calls 100749->100750 100750->100747 100751->100722 100752->100726 100815 d51b90 100753->100815 100756 d248f7 100817 d27eec 100756->100817 100757 d248da 100759 d27d2c 59 API calls 100757->100759 100760 d248e6 100759->100760 100761 d27886 59 API calls 100760->100761 100762 d248f2 100761->100762 100763 d409d5 100762->100763 100764 d51b90 __ftell_nolock 100763->100764 100765 d409e2 GetLongPathNameW 100764->100765 100766 d27d2c 59 API calls 100765->100766 100767 d2741d 100766->100767 100768 d2716b 100767->100768 100769 d277c7 59 API calls 100768->100769 100770 d2717d 100769->100770 100771 d248ae 60 API calls 100770->100771 100772 d27188 100771->100772 100773 d27193 100772->100773 100774 d5ecae 100772->100774 100775 d23f84 59 API calls 100773->100775 100779 d5ecc8 100774->100779 100827 d27a68 61 API calls 100774->100827 100777 d2719f 100775->100777 100821 d234c2 100777->100821 100780 d271b2 Mailbox 100780->99718 100782 d24f3d 136 API calls 100781->100782 100783 d269ef 100782->100783 100784 d5e45a 100783->100784 100785 d24f3d 136 API calls 100783->100785 100786 d897e5 122 API calls 100784->100786 100787 d26a03 100785->100787 100788 d5e46f 100786->100788 100787->100784 100789 d26a0b 100787->100789 100790 d5e490 100788->100790 100791 d5e473 100788->100791 100793 d26a17 100789->100793 100794 d5e47b 100789->100794 100792 d40ff6 Mailbox 59 API calls 100790->100792 100795 d24faa 84 API calls 100791->100795 100812 d5e4d5 Mailbox 100792->100812 100828 d26bec 100793->100828 100935 d84534 90 API calls _wprintf 100794->100935 100795->100794 100798 d5e489 100798->100790 100800 d5e689 100801 d42f95 _free 58 API calls 100800->100801 100802 d5e691 100801->100802 100803 d24faa 84 API calls 100802->100803 100808 d5e69a 100803->100808 100807 d42f95 _free 58 API calls 100807->100808 100808->100807 100810 d24faa 84 API calls 100808->100810 100939 d7fcb1 89 API calls 4 library calls 100808->100939 100810->100808 100811 d27f41 59 API calls 100811->100812 100812->100800 100812->100808 100812->100811 100921 d2766f 100812->100921 100929 d274bd 100812->100929 100936 d7fc4d 59 API calls 2 library calls 100812->100936 100937 d7fb6e 61 API calls 2 library calls 100812->100937 100938 d87621 59 API calls Mailbox 100812->100938 100816 d248bb GetFullPathNameW 100815->100816 100816->100756 100816->100757 100818 d27f06 100817->100818 100820 d27ef9 100817->100820 100819 d40ff6 Mailbox 59 API calls 100818->100819 100819->100820 100820->100760 100822 d234d4 100821->100822 100826 d234f3 _memmove 100821->100826 100824 d40ff6 Mailbox 59 API calls 100822->100824 100823 d40ff6 Mailbox 59 API calls 100825 d2350a 100823->100825 100824->100826 100825->100780 100826->100823 100827->100774 100829 d5e847 100828->100829 100830 d26c15 100828->100830 101012 d7fcb1 89 API calls 4 library calls 100829->101012 100945 d25906 60 API calls Mailbox 100830->100945 100833 d26c37 100946 d25956 67 API calls 100833->100946 100834 d5e85a 101013 d7fcb1 89 API calls 4 library calls 100834->101013 100836 d26c4c 100836->100834 100837 d26c54 100836->100837 100839 d277c7 59 API calls 100837->100839 100841 d26c60 100839->100841 100840 d5e876 100842 d26cc1 100840->100842 100947 d40b9b 60 API calls __ftell_nolock 100841->100947 100844 d5e889 100842->100844 100845 d26ccf 100842->100845 100847 d25dcf CloseHandle 100844->100847 100848 d277c7 59 API calls 100845->100848 100846 d26c6c 100849 d277c7 59 API calls 100846->100849 100850 d5e895 100847->100850 100851 d26cd8 100848->100851 100852 d26c78 100849->100852 100853 d24f3d 136 API calls 100850->100853 100854 d277c7 59 API calls 100851->100854 100855 d248ae 60 API calls 100852->100855 100857 d5e8b1 100853->100857 100858 d26ce1 100854->100858 100856 d26c86 100855->100856 100948 d259b0 ReadFile SetFilePointerEx 100856->100948 100860 d5e8da 100857->100860 100863 d897e5 122 API calls 100857->100863 100950 d246f9 100858->100950 101014 d7fcb1 89 API calls 4 library calls 100860->101014 100862 d26cb2 100949 d25c4e SetFilePointerEx SetFilePointerEx 100862->100949 100867 d5e8cd 100863->100867 100864 d26cf8 100868 d27c8e 59 API calls 100864->100868 100870 d5e8d5 100867->100870 100871 d5e8f6 100867->100871 100872 d26d09 SetCurrentDirectoryW 100868->100872 100869 d5e8f1 100899 d26e6c Mailbox 100869->100899 100874 d24faa 84 API calls 100870->100874 100873 d24faa 84 API calls 100871->100873 100877 d26d1c Mailbox 100872->100877 100875 d5e8fb 100873->100875 100874->100860 100876 d40ff6 Mailbox 59 API calls 100875->100876 100883 d5e92f 100876->100883 100879 d40ff6 Mailbox 59 API calls 100877->100879 100881 d26d2f 100879->100881 100880 d23bcd 100880->99577 100880->99586 100882 d2538e 59 API calls 100881->100882 100910 d26d3a Mailbox __NMSG_WRITE 100882->100910 100884 d2766f 59 API calls 100883->100884 100916 d5e978 Mailbox 100884->100916 100885 d26e47 101008 d25dcf 100885->101008 100888 d5eb69 101019 d87581 59 API calls Mailbox 100888->101019 100889 d26e53 SetCurrentDirectoryW 100889->100899 100892 d5eb8b 101020 d8f835 59 API calls 2 library calls 100892->101020 100895 d5eb98 100896 d42f95 _free 58 API calls 100895->100896 100896->100899 100897 d5ec02 101023 d7fcb1 89 API calls 4 library calls 100897->101023 100940 d25934 100899->100940 100901 d2766f 59 API calls 100901->100916 100902 d5ec1b 100902->100885 100904 d5ebfa 101022 d7fb07 59 API calls 4 library calls 100904->101022 100907 d27f41 59 API calls 100907->100910 100910->100885 100910->100897 100910->100904 100910->100907 101001 d259cd 67 API calls _wcscpy 100910->101001 101002 d270bd GetStringTypeW 100910->101002 101003 d2702c 60 API calls __wcsnicmp 100910->101003 101004 d2710a GetStringTypeW __NMSG_WRITE 100910->101004 101005 d4387d GetStringTypeW _iswctype 100910->101005 101006 d26a3c 165 API calls 3 library calls 100910->101006 101007 d27373 59 API calls Mailbox 100910->101007 100911 d27f41 59 API calls 100911->100916 100915 d5ebbb 101021 d7fcb1 89 API calls 4 library calls 100915->101021 100916->100888 100916->100901 100916->100911 100916->100915 101015 d7fc4d 59 API calls 2 library calls 100916->101015 101016 d7fb6e 61 API calls 2 library calls 100916->101016 101017 d87621 59 API calls Mailbox 100916->101017 101018 d27373 59 API calls Mailbox 100916->101018 100918 d5ebd4 100919 d42f95 _free 58 API calls 100918->100919 100920 d5ebe7 100919->100920 100920->100899 100922 d2770f 100921->100922 100927 d27682 _memmove 100921->100927 100924 d40ff6 Mailbox 59 API calls 100922->100924 100923 d40ff6 Mailbox 59 API calls 100925 d27689 100923->100925 100924->100927 100926 d40ff6 Mailbox 59 API calls 100925->100926 100928 d276b2 100925->100928 100926->100928 100927->100923 100928->100812 100930 d274d0 100929->100930 100933 d2757e 100929->100933 100931 d40ff6 Mailbox 59 API calls 100930->100931 100934 d27502 100930->100934 100931->100934 100932 d40ff6 59 API calls Mailbox 100932->100934 100933->100812 100934->100932 100934->100933 100935->100798 100936->100812 100937->100812 100938->100812 100939->100808 100941 d25dcf CloseHandle 100940->100941 100942 d2593c Mailbox 100941->100942 100943 d25dcf CloseHandle 100942->100943 100944 d2594b 100943->100944 100944->100880 100945->100833 100946->100836 100947->100846 100948->100862 100949->100842 100951 d277c7 59 API calls 100950->100951 100952 d2470f 100951->100952 100953 d277c7 59 API calls 100952->100953 100954 d24717 100953->100954 100955 d277c7 59 API calls 100954->100955 100956 d2471f 100955->100956 100957 d277c7 59 API calls 100956->100957 100958 d24727 100957->100958 100959 d2475b 100958->100959 100960 d5d8fb 100958->100960 100961 d279ab 59 API calls 100959->100961 100962 d281a7 59 API calls 100960->100962 100963 d24769 100961->100963 100964 d5d904 100962->100964 100965 d27e8c 59 API calls 100963->100965 100966 d27eec 59 API calls 100964->100966 100967 d24773 100965->100967 100969 d2479e 100966->100969 100968 d279ab 59 API calls 100967->100968 100967->100969 100972 d24794 100968->100972 100970 d247de 100969->100970 100973 d247bd 100969->100973 100983 d5d924 100969->100983 100971 d279ab 59 API calls 100970->100971 100974 d247ef 100971->100974 100975 d27e8c 59 API calls 100972->100975 100977 d27b52 59 API calls 100973->100977 100978 d24801 100974->100978 100981 d281a7 59 API calls 100974->100981 100975->100969 100976 d5d9f4 100979 d27d2c 59 API calls 100976->100979 100980 d247c7 100977->100980 100982 d24811 100978->100982 100984 d281a7 59 API calls 100978->100984 100996 d5d9b1 100979->100996 100980->100970 100987 d279ab 59 API calls 100980->100987 100981->100978 100986 d24818 100982->100986 100988 d281a7 59 API calls 100982->100988 100983->100976 100985 d5d9dd 100983->100985 100995 d5d95b 100983->100995 100984->100982 100985->100976 100991 d5d9c8 100985->100991 100989 d281a7 59 API calls 100986->100989 100998 d2481f Mailbox 100986->100998 100987->100970 100988->100986 100989->100998 100990 d27b52 59 API calls 100990->100996 100994 d27d2c 59 API calls 100991->100994 100992 d5d9b9 100993 d27d2c 59 API calls 100992->100993 100993->100996 100994->100996 100995->100992 100999 d5d9a4 100995->100999 100996->100970 100996->100990 101024 d27a84 59 API calls 2 library calls 100996->101024 100998->100864 101000 d27d2c 59 API calls 100999->101000 101000->100996 101001->100910 101002->100910 101003->100910 101004->100910 101005->100910 101006->100910 101007->100910 101009 d25de8 101008->101009 101010 d25dd9 101008->101010 101009->101010 101011 d25ded CloseHandle 101009->101011 101010->100889 101011->101010 101012->100834 101013->100840 101014->100869 101015->100916 101016->100916 101017->100916 101018->100916 101019->100892 101020->100895 101021->100918 101022->100897 101023->100902 101024->100996 101026 d26ef5 101025->101026 101030 d27009 101025->101030 101027 d40ff6 Mailbox 59 API calls 101026->101027 101026->101030 101029 d26f1c 101027->101029 101028 d40ff6 Mailbox 59 API calls 101035 d26f91 101028->101035 101029->101028 101030->99724 101033 d274bd 59 API calls 101033->101035 101034 d2766f 59 API calls 101034->101035 101035->101030 101035->101033 101035->101034 101038 d263a0 101035->101038 101063 d76ac9 59 API calls Mailbox 101035->101063 101036->99726 101037->99728 101039 d27b76 59 API calls 101038->101039 101059 d263c5 101039->101059 101040 d265ca 101041 d2766f 59 API calls 101040->101041 101042 d265e4 Mailbox 101041->101042 101042->101035 101045 d5e41f 101068 d7fdba 91 API calls 4 library calls 101045->101068 101046 d2766f 59 API calls 101046->101059 101050 d27eec 59 API calls 101050->101059 101051 d5e42d 101052 d2766f 59 API calls 101051->101052 101053 d5e443 101052->101053 101053->101042 101054 d268f9 _memmove 101069 d7fdba 91 API calls 4 library calls 101054->101069 101055 d5e3bb 101056 d28189 59 API calls 101055->101056 101058 d5e3c6 101056->101058 101062 d40ff6 Mailbox 59 API calls 101058->101062 101059->101040 101059->101045 101059->101046 101059->101050 101059->101054 101059->101055 101060 d27faf 59 API calls 101059->101060 101064 d260cc 60 API calls 101059->101064 101065 d25ea1 59 API calls Mailbox 101059->101065 101066 d25fd2 60 API calls 101059->101066 101067 d27a84 59 API calls 2 library calls 101059->101067 101061 d2659b CharUpperBuffW 101060->101061 101061->101059 101062->101054 101063->101035 101064->101059 101065->101059 101066->101059 101067->101059 101068->101051 101069->101042 101071 d230d2 LoadIconW 101070->101071 101073 d23107 101071->101073 101073->99744 101074->99743 101076 d2e59d 101075->101076 101078 d2e5b1 101075->101078 101492 d282e0 101132->101492 101212->99791 101215->99791 101216->99759 101217->99759 101218->99759 101219->99791 101220->99791 101221->99791 101222->99791 101223->99791 101224->99791 101225->99794 101226->99794 101227->99794 101228->99794 101229->99794 101230->99794 101231->99794 101534 d21055 101539 d22649 101534->101539 101537 d42f80 __cinit 67 API calls 101538 d21064 101537->101538 101540 d277c7 59 API calls 101539->101540 101541 d226b7 101540->101541 101546 d23582 101541->101546 101543 d22754 101545 d2105a 101543->101545 101549 d23416 59 API calls 2 library calls 101543->101549 101545->101537 101550 d235b0 101546->101550 101549->101543 101551 d235a1 101550->101551 101552 d235bd 101550->101552 101551->101543 101552->101551 101553 d235c4 RegOpenKeyExW 101552->101553 101553->101551 101554 d235de RegQueryValueExW 101553->101554 101555 d23614 RegCloseKey 101554->101555 101556 d235ff 101554->101556 101555->101551 101556->101555 101557 d60251 101569 d3fb84 101557->101569 101559 d60267 101560 d6027d 101559->101560 101561 d602e8 101559->101561 101578 d29fbd 60 API calls 101560->101578 101563 d2fe40 331 API calls 101561->101563 101568 d602dc Mailbox 101563->101568 101564 d602bc 101564->101568 101579 d885d9 59 API calls Mailbox 101564->101579 101566 d60ce1 Mailbox 101568->101566 101580 d8a0b5 89 API calls 4 library calls 101568->101580 101570 d3fba2 101569->101570 101571 d3fb90 101569->101571 101573 d3fbd1 101570->101573 101574 d3fba8 101570->101574 101581 d29e9c 60 API calls Mailbox 101571->101581 101582 d29e9c 60 API calls Mailbox 101573->101582 101575 d40ff6 Mailbox 59 API calls 101574->101575 101577 d3fb9a 101575->101577 101577->101559 101578->101564 101579->101568 101580->101566 101581->101577 101582->101577 101583 d21078 101588 d271eb 101583->101588 101585 d2108c 101586 d42f80 __cinit 67 API calls 101585->101586 101587 d21096 101586->101587 101589 d271fb __ftell_nolock 101588->101589 101590 d277c7 59 API calls 101589->101590 101591 d272b1 101590->101591 101592 d24864 61 API calls 101591->101592 101593 d272ba 101592->101593 101619 d4074f 101593->101619 101596 d27e0b 59 API calls 101597 d272d3 101596->101597 101598 d23f84 59 API calls 101597->101598 101599 d272e2 101598->101599 101600 d277c7 59 API calls 101599->101600 101601 d272eb 101600->101601 101602 d27eec 59 API calls 101601->101602 101603 d272f4 RegOpenKeyExW 101602->101603 101604 d5ecda RegQueryValueExW 101603->101604 101608 d27316 Mailbox 101603->101608 101605 d5ecf7 101604->101605 101606 d5ed6c RegCloseKey 101604->101606 101607 d40ff6 Mailbox 59 API calls 101605->101607 101606->101608 101612 d5ed7e _wcscat Mailbox __NMSG_WRITE 101606->101612 101609 d5ed10 101607->101609 101608->101585 101611 d2538e 59 API calls 101609->101611 101610 d27b52 59 API calls 101610->101612 101613 d5ed1b RegQueryValueExW 101611->101613 101612->101608 101612->101610 101617 d27f41 59 API calls 101612->101617 101618 d23f84 59 API calls 101612->101618 101614 d5ed38 101613->101614 101616 d5ed52 101613->101616 101615 d27d2c 59 API calls 101614->101615 101615->101616 101616->101606 101617->101612 101618->101612 101620 d51b90 __ftell_nolock 101619->101620 101621 d4075c GetFullPathNameW 101620->101621 101622 d4077e 101621->101622 101623 d27d2c 59 API calls 101622->101623 101624 d272c5 101623->101624 101624->101596 101625 122a218 101639 1227e38 101625->101639 101627 122a2f0 101642 122a108 101627->101642 101645 122b338 GetPEB 101639->101645 101641 12284c3 101641->101627 101643 122a111 Sleep 101642->101643 101644 122a11f 101643->101644 101646 122b362 101645->101646 101646->101641 101647 d2e5ec 101650 d2ce1a 101647->101650 101649 d2e5f8 101651 d2ce32 101650->101651 101652 d2ce86 101650->101652 101651->101652 101653 d2a000 331 API calls 101651->101653 101656 d2ceaf 101652->101656 101660 d8a0b5 89 API calls 4 library calls 101652->101660 101657 d2ce69 101653->101657 101655 d629e6 101655->101655 101656->101649 101657->101656 101659 d29e9c 60 API calls Mailbox 101657->101659 101659->101652 101660->101655 101661 d64599 101665 d7655c 101661->101665 101663 d645a4 101664 d7655c 85 API calls 101663->101664 101664->101663 101666 d76596 101665->101666 101671 d76569 101665->101671 101666->101663 101667 d76598 101677 d29488 84 API calls Mailbox 101667->101677 101669 d7659d 101670 d29997 84 API calls 101669->101670 101672 d765a4 101670->101672 101671->101666 101671->101667 101671->101669 101674 d76590 101671->101674 101673 d27c8e 59 API calls 101672->101673 101673->101666 101676 d29700 59 API calls _wcsstr 101674->101676 101676->101666 101677->101669

                                        Executed Functions

                                        Function 00D23B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D23B7A
                                        • IsDebuggerPresent.KERNEL32 ref: 00D23B8C
                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,00DE62F8,00DE62E0,?,?), ref: 00D23BFD
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                          • Part of subcall function 00D30A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D23C26,00DE62F8,?,?,?), ref: 00D30ACE
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00D23C81
                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00DD93F0,00000010), ref: 00D5D4BC
                                        • SetCurrentDirectoryW.KERNEL32(?,00DE62F8,?,?,?), ref: 00D5D4F4
                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00DD5D40,00DE62F8,?,?,?), ref: 00D5D57A
                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 00D5D581
                                          • Part of subcall function 00D23A58: GetSysColorBrush.USER32(0000000F), ref: 00D23A62
                                          • Part of subcall function 00D23A58: LoadCursorW.USER32(00000000,00007F00), ref: 00D23A71
                                          • Part of subcall function 00D23A58: LoadIconW.USER32(00000063), ref: 00D23A88
                                          • Part of subcall function 00D23A58: LoadIconW.USER32(000000A4), ref: 00D23A9A
                                          • Part of subcall function 00D23A58: LoadIconW.USER32(000000A2), ref: 00D23AAC
                                          • Part of subcall function 00D23A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D23AD2
                                          • Part of subcall function 00D23A58: RegisterClassExW.USER32(?), ref: 00D23B28
                                          • Part of subcall function 00D239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D23A15
                                          • Part of subcall function 00D239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D23A36
                                          • Part of subcall function 00D239E7: ShowWindow.USER32(00000000,?,?), ref: 00D23A4A
                                          • Part of subcall function 00D239E7: ShowWindow.USER32(00000000,?,?), ref: 00D23A53
                                          • Part of subcall function 00D243DB: _memset.LIBCMT ref: 00D24401
                                          • Part of subcall function 00D243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D244A6
                                        Strings
                                        • This is a third-party compiled AutoIt script., xrefs: 00D5D4B4
                                        • runas, xrefs: 00D5D575
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                        • String ID: This is a third-party compiled AutoIt script.$runas
                                        • API String ID: 529118366-3287110873
                                        • Opcode ID: ffbadf38973ed34f151c806e8315b8e074bd01d336936e0c783e204c03bc1443
                                        • Instruction ID: 385fb2281aa6803d04a8af961d5dbc3d0e419eb1b24a06a411a53557fbd52d0e
                                        • Opcode Fuzzy Hash: ffbadf38973ed34f151c806e8315b8e074bd01d336936e0c783e204c03bc1443
                                        • Instruction Fuzzy Hash: BD511530908398AECF21FBB0FC45EED7B79EB25348B0441A5F951A63A1DA748605DB35
                                        Function 00D23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 765 d23633-d23681 767 d23683-d23686 765->767 768 d236e1-d236e3 765->768 769 d236e7 767->769 770 d23688-d2368f 767->770 768->767 771 d236e5 768->771 775 d5d31c-d5d34a call d311d0 call d311f3 769->775 776 d236ed-d236f0 769->776 772 d23695-d2369a 770->772 773 d2375d-d23765 PostQuitMessage 770->773 774 d236ca-d236d2 NtdllDefWindowProc_W 771->774 777 d236a0-d236a2 772->777 778 d5d38f-d5d3a3 call d82a16 772->778 781 d23711-d23713 773->781 780 d236d8-d236de 774->780 812 d5d34f-d5d356 775->812 782 d236f2-d236f3 776->782 783 d23715-d2373c SetTimer RegisterClipboardFormatW 776->783 786 d23767-d23776 call d24531 777->786 787 d236a8-d236ad 777->787 778->781 805 d5d3a9 778->805 781->780 784 d5d2bf-d5d2c2 782->784 785 d236f9-d2370c KillTimer call d244cb call d23114 782->785 783->781 788 d2373e-d23749 CreatePopupMenu 783->788 797 d5d2c4-d5d2c6 784->797 798 d5d2f8-d5d317 MoveWindow 784->798 785->781 786->781 792 d5d374-d5d37b 787->792 793 d236b3-d236b8 787->793 788->781 792->774 802 d5d381-d5d38a call d7817e 792->802 803 d2374b-d2375b call d245df 793->803 804 d236be-d236c4 793->804 799 d5d2e7-d5d2f3 SetFocus 797->799 800 d5d2c8-d5d2cb 797->800 798->781 799->781 800->804 808 d5d2d1-d5d2e2 call d311d0 800->808 802->774 803->781 804->774 804->812 805->774 808->781 812->774 816 d5d35c-d5d36f call d244cb call d243db 812->816 816->774
                                        APIs
                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00D236D2
                                        • KillTimer.USER32(?,00000001), ref: 00D236FC
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D2371F
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D2372A
                                        • CreatePopupMenu.USER32 ref: 00D2373E
                                        • PostQuitMessage.USER32(00000000), ref: 00D2375F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                        • String ID: TaskbarCreated
                                        • API String ID: 157504867-2362178303
                                        • Opcode ID: b4bf7ec92f3b816e0aabae2ae6fd367e56cf9f5b6ead67d7d86a05529af70bd9
                                        • Instruction ID: a030858b91bb821be86ff3ef1b605a1aae5308a928f4bf2d1d317b1fece2a94c
                                        • Opcode Fuzzy Hash: b4bf7ec92f3b816e0aabae2ae6fd367e56cf9f5b6ead67d7d86a05529af70bd9
                                        • Instruction Fuzzy Hash: 264148B1200255BBDF207F68FC89B793759EB71345F080128FA82C63E1CA69DE019775
                                        Function 00D24AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 948 d24afe-d24b5e call d277c7 GetVersionExW call d27d2c 953 d24b64 948->953 954 d24c69-d24c6b 948->954 956 d24b67-d24b6c 953->956 955 d5db90-d5db9c 954->955 957 d5db9d-d5dba1 955->957 958 d24b72 956->958 959 d24c70-d24c71 956->959 961 d5dba4-d5dbb0 957->961 962 d5dba3 957->962 960 d24b73-d24baa call d27e8c call d27886 958->960 959->960 970 d24bb0-d24bb1 960->970 971 d5dc8d-d5dc90 960->971 961->957 964 d5dbb2-d5dbb7 961->964 962->961 964->956 966 d5dbbd-d5dbc4 964->966 966->955 968 d5dbc6 966->968 972 d5dbcb-d5dbce 968->972 970->972 973 d24bb7-d24bc2 970->973 974 d5dc92 971->974 975 d5dca9-d5dcad 971->975 976 d5dbd4-d5dbf2 972->976 977 d24bf1-d24c08 GetCurrentProcess IsWow64Process 972->977 978 d5dc13-d5dc19 973->978 979 d24bc8-d24bca 973->979 980 d5dc95 974->980 982 d5dcaf-d5dcb8 975->982 983 d5dc98-d5dca1 975->983 976->977 981 d5dbf8-d5dbfe 976->981 984 d24c0a 977->984 985 d24c0d-d24c1e 977->985 990 d5dc23-d5dc29 978->990 991 d5dc1b-d5dc1e 978->991 986 d24bd0-d24bd3 979->986 987 d5dc2e-d5dc3a 979->987 980->983 988 d5dc00-d5dc03 981->988 989 d5dc08-d5dc0e 981->989 982->980 992 d5dcba-d5dcbd 982->992 983->975 984->985 993 d24c20-d24c30 call d24c95 985->993 994 d24c89-d24c93 GetSystemInfo 985->994 995 d24bd9-d24be8 986->995 996 d5dc5a-d5dc5d 986->996 998 d5dc44-d5dc4a 987->998 999 d5dc3c-d5dc3f 987->999 988->977 989->977 990->977 991->977 992->983 1005 d24c32-d24c3f call d24c95 993->1005 1006 d24c7d-d24c87 GetSystemInfo 993->1006 997 d24c56-d24c66 994->997 1003 d5dc4f-d5dc55 995->1003 1004 d24bee 995->1004 996->977 1002 d5dc63-d5dc78 996->1002 998->977 999->977 1007 d5dc82-d5dc88 1002->1007 1008 d5dc7a-d5dc7d 1002->1008 1003->977 1004->977 1013 d24c41-d24c45 GetNativeSystemInfo 1005->1013 1014 d24c76-d24c7b 1005->1014 1010 d24c47-d24c4b 1006->1010 1007->977 1008->977 1010->997 1012 d24c4d-d24c50 FreeLibrary 1010->1012 1012->997 1013->1010 1014->1013
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 00D24B2B
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                        • GetCurrentProcess.KERNEL32(?,00DAFAEC,00000000,00000000,?), ref: 00D24BF8
                                        • IsWow64Process.KERNEL32(00000000), ref: 00D24BFF
                                        • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00D24C45
                                        • FreeLibrary.KERNEL32(00000000), ref: 00D24C50
                                        • GetSystemInfo.KERNEL32(00000000), ref: 00D24C81
                                        • GetSystemInfo.KERNEL32(00000000), ref: 00D24C8D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                        • String ID:
                                        • API String ID: 1986165174-0
                                        • Opcode ID: 28ab9d0f97a7c306b39ae6a1c65901b5842eabbbbad01ae77eebddba06bff5b4
                                        • Instruction ID: 862cca1694b8223f694af594a09758fe2742a81dfb9b5518ce97cfcdc307e9d6
                                        • Opcode Fuzzy Hash: 28ab9d0f97a7c306b39ae6a1c65901b5842eabbbbad01ae77eebddba06bff5b4
                                        • Instruction Fuzzy Hash: D691E53154A7D0DECB31CB6894511AABFE5AF3A304B484D9DE8CB93A01D220E908D779
                                        Function 00D24FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1064 d24fe9-d25001 CreateStreamOnHGlobal 1065 d25003-d2501a FindResourceExW 1064->1065 1066 d25021-d25026 1064->1066 1067 d25020 1065->1067 1068 d5dd5c-d5dd6b LoadResource 1065->1068 1067->1066 1068->1067 1069 d5dd71-d5dd7f SizeofResource 1068->1069 1069->1067 1070 d5dd85-d5dd90 LockResource 1069->1070 1070->1067 1071 d5dd96-d5ddb4 1070->1071 1071->1067
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D24FF9
                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D24EEE,?,?,00000000,00000000), ref: 00D25010
                                        • LoadResource.KERNEL32(?,00000000,?,?,00D24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D24F8F), ref: 00D5DD60
                                        • SizeofResource.KERNEL32(?,00000000,?,?,00D24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D24F8F), ref: 00D5DD75
                                        • LockResource.KERNEL32(00D24EEE,?,?,00D24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D24F8F,00000000), ref: 00D5DD88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                        • String ID: SCRIPT
                                        • API String ID: 3051347437-3967369404
                                        • Opcode ID: 1e9c401aaa633336fa97b49730e1e377b11d2a39336b14339227b7caa34e21bf
                                        • Instruction ID: 8b036937f6ed4b541e736faac46b92ea91e3a9f52b4100ecba0697a9537b4b3a
                                        • Opcode Fuzzy Hash: 1e9c401aaa633336fa97b49730e1e377b11d2a39336b14339227b7caa34e21bf
                                        • Instruction Fuzzy Hash: EB117C75240700BFD7218BA5EC58F677BB9EBCAB16F2441ACF406CA264DB71EC0086B0
                                        Function 00E37080 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1110 e37080-e3708d 1111 e3709a-e3709f 1110->1111 1112 e370a1 1111->1112 1113 e370a3 1112->1113 1114 e37090-e37095 1112->1114 1116 e370a8-e370aa 1113->1116 1115 e37096-e37098 1114->1115 1115->1111 1115->1112 1117 e370b3-e370b7 1116->1117 1118 e370ac-e370b1 1116->1118 1119 e370c4-e370c7 1117->1119 1120 e370b9 1117->1120 1118->1117 1123 e370d0-e370d2 1119->1123 1124 e370c9-e370ce 1119->1124 1121 e370e3-e370e8 1120->1121 1122 e370bb-e370c2 1120->1122 1125 e370fb-e370fd 1121->1125 1126 e370ea-e370f3 1121->1126 1122->1119 1122->1121 1123->1116 1124->1123 1129 e37106 1125->1129 1130 e370ff-e37104 1125->1130 1127 e370f5-e370f9 1126->1127 1128 e3716a-e3716d 1126->1128 1127->1129 1131 e37172-e37175 1128->1131 1132 e370d4-e370d6 1129->1132 1133 e37108-e3710b 1129->1133 1130->1129 1134 e37177-e37179 1131->1134 1137 e370d8-e370dd 1132->1137 1138 e370df-e370e1 1132->1138 1135 e37114 1133->1135 1136 e3710d-e37112 1133->1136 1134->1131 1140 e3717b-e3717e 1134->1140 1135->1132 1141 e37116-e37118 1135->1141 1136->1135 1137->1138 1139 e37135-e37144 1138->1139 1142 e37146-e3714d 1139->1142 1143 e37154-e37161 1139->1143 1140->1131 1144 e37180-e3719c 1140->1144 1145 e37121-e37125 1141->1145 1146 e3711a-e3711f 1141->1146 1142->1142 1147 e3714f 1142->1147 1143->1143 1148 e37163-e37165 1143->1148 1144->1134 1149 e3719e 1144->1149 1145->1141 1150 e37127 1145->1150 1146->1145 1147->1115 1148->1115 1151 e371a4-e371a8 1149->1151 1152 e37132 1150->1152 1153 e37129-e37130 1150->1153 1154 e371aa-e371c0 LoadLibraryA 1151->1154 1155 e371ef-e371f2 1151->1155 1152->1139 1153->1141 1153->1152 1157 e371c1-e371c6 1154->1157 1156 e371f5-e371fc 1155->1156 1158 e37220-e37250 VirtualProtect * 2 1156->1158 1159 e371fe-e37200 1156->1159 1157->1151 1160 e371c8-e371ca 1157->1160 1163 e37254-e37258 1158->1163 1161 e37213-e3721e 1159->1161 1162 e37202-e37211 1159->1162 1164 e371d3-e371e0 GetProcAddress 1160->1164 1165 e371cc-e371d2 1160->1165 1161->1162 1162->1156 1163->1163 1168 e3725a 1163->1168 1166 e371e2-e371e7 1164->1166 1167 e371e9 ExitProcess 1164->1167 1165->1164 1166->1157
                                        APIs
                                        • LoadLibraryA.KERNEL32(?), ref: 00E371BA
                                        • GetProcAddress.KERNEL32(?,00E30FF9), ref: 00E371D8
                                        • ExitProcess.KERNEL32(?,00E30FF9), ref: 00E371E9
                                        • VirtualProtect.KERNELBASE(00D20000,00001000,00000004,?,00000000), ref: 00E37237
                                        • VirtualProtect.KERNELBASE(00D20000,00001000), ref: 00E3724C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                        • String ID:
                                        • API String ID: 1996367037-0
                                        • Opcode ID: 8783289a0e8441c311daff7a58b3808c4b9a86d2b8a923c3c7e977b40eabf210
                                        • Instruction ID: d9421bcfe5d40edad6ec2859ded649cdda107d2135baf597ec87223c67fe96aa
                                        • Opcode Fuzzy Hash: 8783289a0e8441c311daff7a58b3808c4b9a86d2b8a923c3c7e977b40eabf210
                                        • Instruction Fuzzy Hash: 28514BF2A593524BD7348AB8CCC86A1BFA0EB41328F181778D9E1E73C5E7A05C05C760
                                        Function 00D2FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID:
                                        • API String ID: 3964851224-0
                                        • Opcode ID: e27b22b863d08bd5918582bbcdcbeff368bb814c57357fc08b26d77bbe999043
                                        • Instruction ID: 0ea2b7bad77cfe66675dd0090977e3700a4e683c7163ce877db4f8ad6bde698c
                                        • Opcode Fuzzy Hash: e27b22b863d08bd5918582bbcdcbeff368bb814c57357fc08b26d77bbe999043
                                        • Instruction Fuzzy Hash: 5A9248746083519FD724DF18C590B6ABBE1FF88304F18896DE98A8B352D771EC45CBA2
                                        Function 00D84696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,00D5E7C1), ref: 00D846A6
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 00D846B7
                                        • FindClose.KERNEL32(00000000), ref: 00D846C7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FileFind$AttributesCloseFirst
                                        • String ID:
                                        • API String ID: 48322524-0
                                        • Opcode ID: ccaf79711f8e9c6fd0e64e0bdb7c6998829c8357fda9bb6853f5c6861d2cb382
                                        • Instruction ID: 28d06350bb5fc7505d022848171d72f6700449380f663c38768cb611261fab4b
                                        • Opcode Fuzzy Hash: ccaf79711f8e9c6fd0e64e0bdb7c6998829c8357fda9bb6853f5c6861d2cb382
                                        • Instruction Fuzzy Hash: 4BE0DF328106016B8610B778EC4E9EA779CDE07335F100766F876C22E0FBB09D6086BA
                                        Function 00D2E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                        Download Yara Rule
                                        Strings
                                        • Variable must be of type 'Object'., xrefs: 00D6428C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Variable must be of type 'Object'.
                                        • API String ID: 0-109567571
                                        • Opcode ID: 8fad81a2f69c10b9f1cb7a71ff1e86b00964e6dc195265aa4e3290109c6a1378
                                        • Instruction ID: 352f6efc99f07020c291339a01853a5a48a1d67c7415a6a2a37750c2d6fe809b
                                        • Opcode Fuzzy Hash: 8fad81a2f69c10b9f1cb7a71ff1e86b00964e6dc195265aa4e3290109c6a1378
                                        • Instruction Fuzzy Hash: 1CA2C674A04225CFCB14CF58E580AADB7B1FF68308F688469E956AB351D731ED42CBB1
                                        Function 00D30B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D30BBB
                                        • timeGetTime.WINMM ref: 00D30E76
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D30FB3
                                        • TranslateMessage.USER32(?), ref: 00D30FC7
                                        • DispatchMessageW.USER32(?), ref: 00D30FD5
                                        • Sleep.KERNEL32(0000000A), ref: 00D30FDF
                                        • LockWindowUpdate.USER32(00000000,?,?), ref: 00D3105A
                                        • DestroyWindow.USER32 ref: 00D31066
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D31080
                                        • Sleep.KERNEL32(0000000A,?,?), ref: 00D652AD
                                        • TranslateMessage.USER32(?), ref: 00D6608A
                                        • DispatchMessageW.USER32(?), ref: 00D66098
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D660AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                        • API String ID: 4003667617-3242690629
                                        • Opcode ID: 67d9e0303276658fbc3da51a0887fff93af19b46d514f44cae492c36ce88456d
                                        • Instruction ID: 0a0bb36bf8d49e1d04dac3ddfdc2c73ef496cb035585d7c4bf25b33fc1ea7a38
                                        • Opcode Fuzzy Hash: 67d9e0303276658fbc3da51a0887fff93af19b46d514f44cae492c36ce88456d
                                        • Instruction Fuzzy Hash: 86B2AB70608741DBD724DF24D894BAABBE4FF94304F18495DF48A972A1DB71E884CBB2
                                        Function 00D893DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00D891E9: __time64.LIBCMT ref: 00D891F3
                                          • Part of subcall function 00D25045: _fseek.LIBCMT ref: 00D2505D
                                        • __wsplitpath.LIBCMT ref: 00D894BE
                                          • Part of subcall function 00D4432E: __wsplitpath_helper.LIBCMT ref: 00D4436E
                                        • _wcscpy.LIBCMT ref: 00D894D1
                                        • _wcscat.LIBCMT ref: 00D894E4
                                        • __wsplitpath.LIBCMT ref: 00D89509
                                        • _wcscat.LIBCMT ref: 00D8951F
                                        • _wcscat.LIBCMT ref: 00D89532
                                          • Part of subcall function 00D8922F: _memmove.LIBCMT ref: 00D89268
                                          • Part of subcall function 00D8922F: _memmove.LIBCMT ref: 00D89277
                                        • _wcscmp.LIBCMT ref: 00D89479
                                          • Part of subcall function 00D899BE: _wcscmp.LIBCMT ref: 00D89AAE
                                          • Part of subcall function 00D899BE: _wcscmp.LIBCMT ref: 00D89AC1
                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D896DC
                                        • _wcsncpy.LIBCMT ref: 00D8974F
                                        • DeleteFileW.KERNEL32(?,?), ref: 00D89785
                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D8979B
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D897AC
                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D897BE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                        • String ID:
                                        • API String ID: 1500180987-0
                                        • Opcode ID: 78cf4b47bcbe274394fbce0289f730fb92a4559d743b133b02e02309f4363df7
                                        • Instruction ID: ad414477aff43f16fa8e75012ef98563fe92c64d681a6d491eceb07f5407daa5
                                        • Opcode Fuzzy Hash: 78cf4b47bcbe274394fbce0289f730fb92a4559d743b133b02e02309f4363df7
                                        • Instruction Fuzzy Hash: 18C13BB1900229ABCF21EF95DC85EEEB7BCEF55300F0440AAF649E6151EB309A448F75
                                        Function 00D271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00D24864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00DE62F8,?,00D237C0,?), ref: 00D24882
                                          • Part of subcall function 00D4074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00D272C5), ref: 00D40771
                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D27308
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D5ECF1
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D5ED32
                                        • RegCloseKey.ADVAPI32(?), ref: 00D5ED70
                                        • _wcscat.LIBCMT ref: 00D5EDC9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                        • API String ID: 2673923337-2727554177
                                        • Opcode ID: 95da427c30348e6a2907de3302206e353b9958cb573240de0520f46a6b58a178
                                        • Instruction ID: 2ccda3a4c3113a8ac7ecfaa615e455499b8e9d9b2e92fd89c63a1ac09eea0fb3
                                        • Opcode Fuzzy Hash: 95da427c30348e6a2907de3302206e353b9958cb573240de0520f46a6b58a178
                                        • Instruction Fuzzy Hash: FE717C714083419EC754EF65EC819ABBBE8FF59300F44042EFA45DB2A0EB309949CB7A
                                        Function 00D23A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00D23A62
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00D23A71
                                        • LoadIconW.USER32(00000063), ref: 00D23A88
                                        • LoadIconW.USER32(000000A4), ref: 00D23A9A
                                        • LoadIconW.USER32(000000A2), ref: 00D23AAC
                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D23AD2
                                        • RegisterClassExW.USER32(?), ref: 00D23B28
                                          • Part of subcall function 00D23041: GetSysColorBrush.USER32(0000000F), ref: 00D23074
                                          • Part of subcall function 00D23041: RegisterClassExW.USER32(00000030), ref: 00D2309E
                                          • Part of subcall function 00D23041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D230AF
                                          • Part of subcall function 00D23041: LoadIconW.USER32(000000A9), ref: 00D230F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                        • String ID: #$0$AutoIt v3
                                        • API String ID: 2880975755-4155596026
                                        • Opcode ID: 03c5f4d8639ef44888814eb694660fbddb23ed5690977971441a57c7625a69a2
                                        • Instruction ID: e158a5a773fa0f9839b97fd83eca72f81996db8bf254cac1875909b0ccfeb9e0
                                        • Opcode Fuzzy Hash: 03c5f4d8639ef44888814eb694660fbddb23ed5690977971441a57c7625a69a2
                                        • Instruction Fuzzy Hash: 5D215E71D00354AFDB10AFA4EC89B9D7BB4FB18755F000169F604EA3A0D3BA95548F78
                                        Function 00D23778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                        • API String ID: 1825951767-3513169116
                                        • Opcode ID: 53e1d05537fd879c7e50d620f74cf30b978f8bfb4abbebf40b6ec0631331bb0f
                                        • Instruction ID: e150f1a73e97c9958dad001ab31629941e92f1dc60f54c30a27e2fff669ad04e
                                        • Opcode Fuzzy Hash: 53e1d05537fd879c7e50d620f74cf30b978f8bfb4abbebf40b6ec0631331bb0f
                                        • Instruction Fuzzy Hash: A0A14D719102699ADF14EBA0EC92EEEB778FF24314F440529F812B7191DB749A09CB70
                                        Function 00D23015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73registrywindowclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00D23074
                                        • RegisterClassExW.USER32(00000030), ref: 00D2309E
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D230AF
                                        • LoadIconW.USER32(000000A9), ref: 00D230F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 975902462-1005189915
                                        • Opcode ID: 801a3a32879a0e41690de061cd38c412c1852ac0618fe7cef01202384e44b5f6
                                        • Instruction ID: 9e75d24b4eb025a238801dcd2faed4dac525ca495b07149498b4f4a5a68a0597
                                        • Opcode Fuzzy Hash: 801a3a32879a0e41690de061cd38c412c1852ac0618fe7cef01202384e44b5f6
                                        • Instruction Fuzzy Hash: B23147B1801349AFEB50AFE4D885AD9BBF4FB1A310F10456AE540EA3A0E3B54545CFA5
                                        Function 00D23041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00D23074
                                        • RegisterClassExW.USER32(00000030), ref: 00D2309E
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D230AF
                                        • LoadIconW.USER32(000000A9), ref: 00D230F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 975902462-1005189915
                                        • Opcode ID: ac63eed37872e69a2d08a5dff43f3d2488565f249d6146037a2216c81cf9c87c
                                        • Instruction ID: e4a8dcdc43ce8bd475d553eaa49310309dcd4934d8d8de801f26bd73cd2871c5
                                        • Opcode Fuzzy Hash: ac63eed37872e69a2d08a5dff43f3d2488565f249d6146037a2216c81cf9c87c
                                        • Instruction Fuzzy Hash: 7F21E5B1900358AFDB00EFE4E889B9DBBF4FB19750F00456AF610EA3A0D7B145448FA5
                                        Function 01228758 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1015 1228758-12287aa call 1228658 CreateFileW 1018 12287b3-12287c0 1015->1018 1019 12287ac-12287ae 1015->1019 1022 12287c2-12287ce 1018->1022 1023 12287d3-12287ea VirtualAlloc 1018->1023 1020 122890c-1228910 1019->1020 1022->1020 1024 12287f3-1228819 CreateFileW 1023->1024 1025 12287ec-12287ee 1023->1025 1027 122881b-1228838 1024->1027 1028 122883d-1228857 ReadFile 1024->1028 1025->1020 1027->1020 1029 122887b-122887f 1028->1029 1030 1228859-1228876 1028->1030 1031 12288a0-12288b7 WriteFile 1029->1031 1032 1228881-122889e 1029->1032 1030->1020 1034 12288e2-1228907 CloseHandle VirtualFree 1031->1034 1035 12288b9-12288e0 1031->1035 1032->1020 1034->1020 1035->1020
                                        APIs
                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0122879D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                        • Instruction ID: 8b766bb851da76f9eb27daf51f31eb52e4f27eb39d02d5d40b08664b3d30671b
                                        • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                        • Instruction Fuzzy Hash: CA510D75A60209FBEF20DFA4CC49FDE77B8AF48700F108554F60AEB280DAB49644CB60
                                        Function 00D273E5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1045 d273e5-d27405 call d51b90 1048 d2740b-d27438 call d248ae call d409d5 call d2716b call d269ca 1045->1048 1049 d5ee4b-d5eeb4 call d43020 758ED0D0 1045->1049 1054 d5eeb6 1049->1054 1055 d5eebd-d5eec6 call d27d2c 1049->1055 1054->1055 1059 d5eecb 1055->1059 1059->1059
                                        APIs
                                        • _memset.LIBCMT ref: 00D5EE62
                                        • 758ED0D0.COMDLG32(?), ref: 00D5EEAC
                                          • Part of subcall function 00D248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D248A1,?,?,00D237C0,?), ref: 00D248CE
                                          • Part of subcall function 00D409D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D409F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: NamePath$FullLong_memset
                                        • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                        • API String ID: 3051022977-1954568251
                                        • Opcode ID: c27a300e7d9d266f03c8f09cf8e5f8697f52ffa71a5d3fe16018f6a101453268
                                        • Instruction ID: ab002504f207e354de532b9b7d48b641a1b38e6b417916f685df06af649b3373
                                        • Opcode Fuzzy Hash: c27a300e7d9d266f03c8f09cf8e5f8697f52ffa71a5d3fe16018f6a101453268
                                        • Instruction Fuzzy Hash: DC21A4719102589BCF15AF94D8457EEBBF8DF59305F04405AE808E7341DBB4598A8FB1
                                        Function 00D239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1074 d239e7-d23a57 CreateWindowExW * 2 ShowWindow * 2
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D23A15
                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D23A36
                                        • ShowWindow.USER32(00000000,?,?), ref: 00D23A4A
                                        • ShowWindow.USER32(00000000,?,?), ref: 00D23A53
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$CreateShow
                                        • String ID: AutoIt v3$edit
                                        • API String ID: 1584632944-3779509399
                                        • Opcode ID: 112dc71bb8f3811173425c940cc37d35c0aafdedaf0c045829849df8c4ee0b86
                                        • Instruction ID: 7a0bb5039170d73d1a3d602f5719b1f3b3db36a1804a8050883685949fb2c6cb
                                        • Opcode Fuzzy Hash: 112dc71bb8f3811173425c940cc37d35c0aafdedaf0c045829849df8c4ee0b86
                                        • Instruction Fuzzy Hash: 70F030706003D07EEA3027536C88E773E7DD7D7FA0B000069BA00E6370C1A55840CA74
                                        Function 00D2410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1075 d2410d-d24123 1076 d24200-d24204 1075->1076 1077 d24129-d2413e call d27b76 1075->1077 1080 d24144-d24164 call d27d2c 1077->1080 1081 d5d5dd-d5d5ec LoadStringW 1077->1081 1084 d5d5f7-d5d60f call d27c8e call d27143 1080->1084 1085 d2416a-d2416e 1080->1085 1081->1084 1094 d2417e-d241fb call d43020 call d2463e call d42ffc Shell_NotifyIconW call d25a64 1084->1094 1097 d5d615-d5d633 call d27e0b call d27143 call d27e0b 1084->1097 1087 d24174-d24179 call d27c8e 1085->1087 1088 d24205-d2420e call d281a7 1085->1088 1087->1094 1088->1094 1094->1076 1097->1094
                                        APIs
                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D5D5EC
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                        • _memset.LIBCMT ref: 00D2418D
                                        • _wcscpy.LIBCMT ref: 00D241E1
                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D241F1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                        • String ID: Line:
                                        • API String ID: 3942752672-1585850449
                                        • Opcode ID: 2b38eb7883570aa1c829828bcc8e08922df360ee1ba991b14b4c3dea66550c5b
                                        • Instruction ID: c1e8064acbf2b458aedba82139b441b3f0bf85b89d7aa1124739656c2b9df405
                                        • Opcode Fuzzy Hash: 2b38eb7883570aa1c829828bcc8e08922df360ee1ba991b14b4c3dea66550c5b
                                        • Instruction Fuzzy Hash: 9431B5710083649AD732EB60EC86FDB77E8EF74308F14451AF58596191EB70A648C7B6
                                        Function 00D4564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                        • String ID:
                                        • API String ID: 1559183368-0
                                        • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                        • Instruction ID: efc2d9f757000146e59f39f744598be14688e768d1162778b130ff8829ba74d7
                                        • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                        • Instruction Fuzzy Hash: 2B51C130A00B05DBDB248FA9E88066E77A1EF40320F288739F865962DAD7709D549B70
                                        Function 00D269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D24F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00DE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D24F6F
                                        • _free.LIBCMT ref: 00D5E68C
                                        • _free.LIBCMT ref: 00D5E6D3
                                          • Part of subcall function 00D26BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D26D0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                        • API String ID: 2861923089-1757145024
                                        • Opcode ID: 8333959ea6304119ba0055d2f83bd0f2a75896ddb7d034d96f57810d6b2f3fce
                                        • Instruction ID: 73767c737375b63e7202f2a97f86d3c5d55ab41c57d9a3772195f2a02aa03b7c
                                        • Opcode Fuzzy Hash: 8333959ea6304119ba0055d2f83bd0f2a75896ddb7d034d96f57810d6b2f3fce
                                        • Instruction Fuzzy Hash: A9914D719102299FCF18EFA4D8919EDB7B4FF19315B14446AFC15AB291EB30DA09CB70
                                        Function 0122A218 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 158fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0122A108: Sleep.KERNELBASE(000001F4), ref: 0122A119
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0122A35C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CreateFileSleep
                                        • String ID: 8QD59M3HNU1LF9649O
                                        • API String ID: 2694422964-585315891
                                        • Opcode ID: 1d55aae29ea521e211a89930ebd26db8cb2e5d468b4d02a5c5fa03e16dce0d5a
                                        • Instruction ID: 5b2b2845613d4f5a26f8e2734a4189207beff7ed80ed939b4062d15ccbd367f1
                                        • Opcode Fuzzy Hash: 1d55aae29ea521e211a89930ebd26db8cb2e5d468b4d02a5c5fa03e16dce0d5a
                                        • Instruction Fuzzy Hash: 5561B530D14259EBEF11DBB4C844BEEBBB9AF14300F104199E609BB2C1D7BA4B45CB65
                                        Function 00D235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00D235A1,SwapMouseButtons,00000004,?), ref: 00D235D4
                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00D235A1,SwapMouseButtons,00000004,?,?,?,?,00D22754), ref: 00D235F5
                                        • RegCloseKey.KERNELBASE(00000000,?,?,00D235A1,SwapMouseButtons,00000004,?,?,?,?,00D22754), ref: 00D23617
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Control Panel\Mouse
                                        • API String ID: 3677997916-824357125
                                        • Opcode ID: b5168eaea84aa5e857fd99411821ee73f2937119b592c9cfe272987fc51c29d4
                                        • Instruction ID: cce0abe239684bda5a431fb83163e24ab5bbcfaf2ae8db8ce92632107044ea7d
                                        • Opcode Fuzzy Hash: b5168eaea84aa5e857fd99411821ee73f2937119b592c9cfe272987fc51c29d4
                                        • Instruction Fuzzy Hash: 5D114571610228BFDB208FA4EC80AAEBBBCEF55745F018469E805D7210E2719E409BB4
                                        Function 00D897E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D25045: _fseek.LIBCMT ref: 00D2505D
                                          • Part of subcall function 00D899BE: _wcscmp.LIBCMT ref: 00D89AAE
                                          • Part of subcall function 00D899BE: _wcscmp.LIBCMT ref: 00D89AC1
                                        • _free.LIBCMT ref: 00D8992C
                                        • _free.LIBCMT ref: 00D89933
                                        • _free.LIBCMT ref: 00D8999E
                                          • Part of subcall function 00D42F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D49C64), ref: 00D42FA9
                                          • Part of subcall function 00D42F95: GetLastError.KERNEL32(00000000,?,00D49C64), ref: 00D42FBB
                                        • _free.LIBCMT ref: 00D899A6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                        • String ID:
                                        • API String ID: 1552873950-0
                                        • Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
                                        • Instruction ID: f3891d12401228233551c9ad9e86ca5f3bf8f1ea6a920368d1267f04c4c02e22
                                        • Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
                                        • Instruction Fuzzy Hash: A25150B1904218AFDF249F64DC41AAEBBB9EF48314F1404AEF649A7241DB715E80CF78
                                        Function 00D4493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                        • String ID:
                                        • API String ID: 2782032738-0
                                        • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                        • Instruction ID: 94f9651dae3056c977c36bd7d3ac926119ada3eda5abe8c640e54cf934546a33
                                        • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                        • Instruction Fuzzy Hash: 7741E7716007059BDF28CEA9C881BAF77A6EF84364B28813DE895C7680D770DDC09B74
                                        Function 00D8901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __fread_nolock_memmove
                                        • String ID: EA06
                                        • API String ID: 1988441806-3962188686
                                        • Opcode ID: 5e411d3a79d285044533ddec3855df76f13ad8dc5bb576e11f0e8c4db9e940f6
                                        • Instruction ID: 02dfd80b877a36e09d6dc40602f6ccf1d699a43cdef1e695dbc202e9f3724f42
                                        • Opcode Fuzzy Hash: 5e411d3a79d285044533ddec3855df76f13ad8dc5bb576e11f0e8c4db9e940f6
                                        • Instruction Fuzzy Hash: 3401F9718042186FDB28C6A8D816EFEBBF8DB01301F04419BF592D2181E575E608CB70
                                        Function 00D40FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D4594C: __FF_MSGBANNER.LIBCMT ref: 00D45963
                                          • Part of subcall function 00D4594C: __NMSG_WRITE.LIBCMT ref: 00D4596A
                                          • Part of subcall function 00D4594C: RtlAllocateHeap.NTDLL(01090000,00000000,00000001), ref: 00D4598F
                                        • std::exception::exception.LIBCMT ref: 00D4102C
                                        • __CxxThrowException@8.LIBCMT ref: 00D41041
                                          • Part of subcall function 00D487DB: RaiseException.KERNEL32(?,?,00000000,00DDBAF8,?,00000001,?,?,?,00D41046,00000000,00DDBAF8,00D29FEC,00000001), ref: 00D48830
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                        • String ID: bad allocation
                                        • API String ID: 3902256705-2104205924
                                        • Opcode ID: 9db3467d5686ec638194673d0649572f96961aae1eb86449579d70d60ca94b60
                                        • Instruction ID: cf7c56f7eaebaad2a43ea6066fb90913442593b5fb221533abc53a19b2cb6479
                                        • Opcode Fuzzy Hash: 9db3467d5686ec638194673d0649572f96961aae1eb86449579d70d60ca94b60
                                        • Instruction Fuzzy Hash: 64F0A439500259A7CB20BB58EC16AEF7BA8DF01391F140426F804A6692DFB18AC496F4
                                        Function 01228E38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01228E7D
                                        • ExitProcess.KERNEL32(00000000), ref: 01228E9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Process$CreateExit
                                        • String ID: D
                                        • API String ID: 126409537-2746444292
                                        • Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                        • Instruction ID: 1d00bc6e22ebd27b5916e76346f49cf195a9b9c3559fa81e82ed33ec6c7dc94b
                                        • Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                        • Instruction Fuzzy Hash: 58F0ECB195025DABDB60EFE0CC49FEE7778BF04701F448508FB0A9A180DA74D6088B61
                                        Function 00D89B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00D89B82
                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D89B99
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Temp$FileNamePath
                                        • String ID: aut
                                        • API String ID: 3285503233-3010740371
                                        • Opcode ID: c0d47ef105b8a266c254bf1d510f15c2c7d47ce8c1f4c2b6126236ed189b537b
                                        • Instruction ID: ac7c59caf0546b27cd1841983e49c0d1aadda4499a353d97786a385ea4bc297d
                                        • Opcode Fuzzy Hash: c0d47ef105b8a266c254bf1d510f15c2c7d47ce8c1f4c2b6126236ed189b537b
                                        • Instruction Fuzzy Hash: FDD05E7954030DABDB109BD4DC0EFDA772CE705705F0042E1BE94D12A1DEB455988BA5
                                        Function 00D9CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd1a00366304add2f781e52a9e8fcca9faddf4c75dadfbc4d56260b9cc5f21ce
                                        • Instruction ID: a7bf2f2c917b1ffbe369e6b874a23cc3bcf9f5df6bc921773ea10de4cf2b9f16
                                        • Opcode Fuzzy Hash: dd1a00366304add2f781e52a9e8fcca9faddf4c75dadfbc4d56260b9cc5f21ce
                                        • Instruction Fuzzy Hash: FAF14771A083019FCB14DF28C484A6ABBE5FF88314F14892EF8999B351D731E945CFA2
                                        Function 00D2F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D403A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D403D3
                                          • Part of subcall function 00D403A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D403DB
                                          • Part of subcall function 00D403A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D403E6
                                          • Part of subcall function 00D403A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D403F1
                                          • Part of subcall function 00D403A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D403F9
                                          • Part of subcall function 00D403A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D40401
                                          • Part of subcall function 00D36259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00D362B4
                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D2FB2D
                                        • OleInitialize.OLE32(00000000), ref: 00D2FBAA
                                        • CloseHandle.KERNEL32(00000000), ref: 00D649F2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                        • String ID:
                                        • API String ID: 3094916012-0
                                        • Opcode ID: 2fc713a38393dfcf04cc6a5bd33d2919777f0dd36cabc3285c2ebd66d14d696f
                                        • Instruction ID: f7792ed6a7648f16a0384022d89e99b313473361ce99fbb93dbafa16c14f3424
                                        • Opcode Fuzzy Hash: 2fc713a38393dfcf04cc6a5bd33d2919777f0dd36cabc3285c2ebd66d14d696f
                                        • Instruction Fuzzy Hash: 6C81BAB09083D08EC394FF7AE9906157BE4EB78398714853AE019CB3A2EB31D4048F71
                                        Function 00D243DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D24401
                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D244A6
                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D244C3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_$_memset
                                        • String ID:
                                        • API String ID: 1505330794-0
                                        • Opcode ID: 305d81cca67442d9b7085af1ac82368683b7dd10ca9d7b18cd70b6b1b099e693
                                        • Instruction ID: a81cba6560c298e2f6a587c6f96375e71bc82408144b797bd12877cb5e7b0f0b
                                        • Opcode Fuzzy Hash: 305d81cca67442d9b7085af1ac82368683b7dd10ca9d7b18cd70b6b1b099e693
                                        • Instruction Fuzzy Hash: 573180705047518FD721EF24E88479BBBE8FB69308F04092EEA9AC7241D7B5A944CB76
                                        Function 00D4594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __FF_MSGBANNER.LIBCMT ref: 00D45963
                                          • Part of subcall function 00D4A3AB: __NMSG_WRITE.LIBCMT ref: 00D4A3D2
                                          • Part of subcall function 00D4A3AB: __NMSG_WRITE.LIBCMT ref: 00D4A3DC
                                        • __NMSG_WRITE.LIBCMT ref: 00D4596A
                                          • Part of subcall function 00D4A408: GetModuleFileNameW.KERNEL32(00000000,00DE43BA,00000104,00000000,00000001,00000000), ref: 00D4A49A
                                          • Part of subcall function 00D4A408: ___crtMessageBoxW.LIBCMT ref: 00D4A548
                                          • Part of subcall function 00D432DF: ___crtCorExitProcess.LIBCMT ref: 00D432E5
                                          • Part of subcall function 00D432DF: ExitProcess.KERNEL32 ref: 00D432EE
                                          • Part of subcall function 00D48D68: __getptd_noexit.LIBCMT ref: 00D48D68
                                        • RtlAllocateHeap.NTDLL(01090000,00000000,00000001), ref: 00D4598F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                        • String ID:
                                        • API String ID: 1372826849-0
                                        • Opcode ID: 0c69fd1c519bdcfc1986cd11729d5d21ec6344e37a89dbb28547298ab5416669
                                        • Instruction ID: 01210cdd95322a77f291793ae50ae8d496c9dba57b983c08f1a4e9bb6cf6cd4c
                                        • Opcode Fuzzy Hash: 0c69fd1c519bdcfc1986cd11729d5d21ec6344e37a89dbb28547298ab5416669
                                        • Instruction Fuzzy Hash: 7301DE32241B15EFE6217B69FC82B2E7288DF52770F18002AF545EA282DB709D019A74
                                        Function 00D89B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00D897D2,?,?,?,?,?,00000004), ref: 00D89B45
                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D897D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00D89B5B
                                        • CloseHandle.KERNEL32(00000000,?,00D897D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D89B62
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandleTime
                                        • String ID:
                                        • API String ID: 3397143404-0
                                        • Opcode ID: b01fed7480f1004761c1152666ee8db2ce81de851c37d853bece218a53f7268f
                                        • Instruction ID: dca890957d0f0c1a125f6aa8572937c536bae12230626712dd777f351dc05ae3
                                        • Opcode Fuzzy Hash: b01fed7480f1004761c1152666ee8db2ce81de851c37d853bece218a53f7268f
                                        • Instruction Fuzzy Hash: ECE08632681314BBDB312B94EC09FDA7B18AB06761F144120FB54A91E0C7B1651197A8
                                        Function 00D88F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00D88FA5
                                          • Part of subcall function 00D42F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D49C64), ref: 00D42FA9
                                          • Part of subcall function 00D42F95: GetLastError.KERNEL32(00000000,?,00D49C64), ref: 00D42FBB
                                        • _free.LIBCMT ref: 00D88FB6
                                        • _free.LIBCMT ref: 00D88FC8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
                                        • Instruction ID: cac514f63f8380f89f6dddc553b6101edcd8458fb406e9b533f988a1f96f1b70
                                        • Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
                                        • Instruction Fuzzy Hash: 10E012A16097115BCA24B579AD40AA35BEE9F883907DC081DB609DB142DE24F8459634
                                        Function 00D2AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CALL
                                        • API String ID: 0-4196123274
                                        • Opcode ID: 9a7ffe1889a5f3d73b4c86bc10a56e7f2a0d0fea96819c15a126a8edeef3ee3b
                                        • Instruction ID: 554484cac1f3f11f64cd45bac9bb647ffc034eb956d464a311ab9d2c4cc1df22
                                        • Opcode Fuzzy Hash: 9a7ffe1889a5f3d73b4c86bc10a56e7f2a0d0fea96819c15a126a8edeef3ee3b
                                        • Instruction Fuzzy Hash: 8E223874508361CFC724DF18D490B2ABBE1FF54318F19895DE89A8B262D771EC85CBA2
                                        Function 00D24DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID: EA06
                                        • API String ID: 4104443479-3962188686
                                        • Opcode ID: e3520c5efab02e532aac6f1f3cb700829d1dccaf555b390be6355842dcda78a2
                                        • Instruction ID: e4b2e3d94ef4816957d8bd9cf781ba0adf2478fe022827c345feaafd89040e91
                                        • Opcode Fuzzy Hash: e3520c5efab02e532aac6f1f3cb700829d1dccaf555b390be6355842dcda78a2
                                        • Instruction Fuzzy Hash: E0418931A041745BEF219B64FD51BBE7FA2EF65308F2D4065FC829B286C6319D8487B1
                                        Function 00D27BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
                                        • Instruction ID: ee0f0986bcb43cde75c7c736376679fe153273708b1df351a666950df87e908b
                                        • Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
                                        • Instruction Fuzzy Hash: 7631C5B1604516AFC724DF38E8D1E6AF3A9FF583147198629E915CB291DB70E860CBB0
                                        Function 00D2492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • 74E4C8D0.UXTHEME ref: 00D24992
                                          • Part of subcall function 00D435AC: __lock.LIBCMT ref: 00D435B2
                                          • Part of subcall function 00D435AC: RtlDecodePointer.NTDLL(00000001), ref: 00D435BE
                                          • Part of subcall function 00D435AC: RtlEncodePointer.NTDLL(?), ref: 00D435C9
                                          • Part of subcall function 00D24A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D24A73
                                          • Part of subcall function 00D24A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D24A88
                                          • Part of subcall function 00D23B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D23B7A
                                          • Part of subcall function 00D23B4C: IsDebuggerPresent.KERNEL32 ref: 00D23B8C
                                          • Part of subcall function 00D23B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00DE62F8,00DE62E0,?,?), ref: 00D23BFD
                                          • Part of subcall function 00D23B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00D23C81
                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D249D2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                        • String ID:
                                        • API String ID: 2688871447-0
                                        • Opcode ID: 3557b080ca9d984aa3a9a1e2993d78cb99049809402f11ecc07ef6f79b1215a4
                                        • Instruction ID: 7529bcd0e6ffb65950f6ee268167a74d4944cfa1f4a8f11dafc4311577a6fdea
                                        • Opcode Fuzzy Hash: 3557b080ca9d984aa3a9a1e2993d78cb99049809402f11ecc07ef6f79b1215a4
                                        • Instruction Fuzzy Hash: 51116A719083A19BC700EF68E88590AFBE8EBA4754F00451EF545CB2A1DB709544CBB6
                                        Function 00D4582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __lock_file_memset
                                        • String ID:
                                        • API String ID: 26237723-0
                                        • Opcode ID: e97508a1a328af5ab706ecb60ad47e921ee7bc757c4a9803fe452d31dfbb8d09
                                        • Instruction ID: 87e2a72d470640626a4d537abe02e735fb592c779200373076ca0616435d5d06
                                        • Opcode Fuzzy Hash: e97508a1a328af5ab706ecb60ad47e921ee7bc757c4a9803fe452d31dfbb8d09
                                        • Instruction Fuzzy Hash: 90018471C00609EBCF22AF699C0159E7B61EF413A0F188215B8146A1A6DF31CA21EBB1
                                        Function 00D455D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D48D68: __getptd_noexit.LIBCMT ref: 00D48D68
                                        • __lock_file.LIBCMT ref: 00D4561B
                                          • Part of subcall function 00D46E4E: __lock.LIBCMT ref: 00D46E71
                                        • __fclose_nolock.LIBCMT ref: 00D45626
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                        • String ID:
                                        • API String ID: 2800547568-0
                                        • Opcode ID: d82f7e81dc1a4683c502b3e33b9efde28b86297b2a4ab19c2d46c9a28a947923
                                        • Instruction ID: 906fa3c4f2b045abc154a5178205f0a871c67bd43d735f434485785534f2e99e
                                        • Opcode Fuzzy Hash: d82f7e81dc1a4683c502b3e33b9efde28b86297b2a4ab19c2d46c9a28a947923
                                        • Instruction Fuzzy Hash: 29F0B471801A049FDB20BF79980276E77E1EF42774F5A820AA455BB1C7CF7C8901AB75
                                        Function 01228EA8 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 01228718: GetFileAttributesW.KERNELBASE(?), ref: 01228723
                                        • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01229004
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AttributesCreateDirectoryFile
                                        • String ID:
                                        • API String ID: 3401506121-0
                                        • Opcode ID: bbc34b5e2c915c905ceecf86f7bbd45722c993e9a33a4ccb37766f9c384d9c3c
                                        • Instruction ID: 31769445a001c32333c166729525e1384128afa5190ef411f1c1eb5905df99e7
                                        • Opcode Fuzzy Hash: bbc34b5e2c915c905ceecf86f7bbd45722c993e9a33a4ccb37766f9c384d9c3c
                                        • Instruction Fuzzy Hash: BF519431A2121DA6EF14EFA4C844BEE7379EF58300F108568E609F7290EB799B45CB65
                                        Function 00D40E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction ID: b56e6c92ceaed3dbb17f303ec3e73305e6bb436e9e9c58da3c9f09fb4206405c
                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction Fuzzy Hash: 7931F671A00105EFC718DF58C480969FBB6FF99300B688AA5E64ACB651D731EDD1CBE0
                                        Function 00D600D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: b2e8c66e4447142a6573351cb92c49fe37e514ae68132dc9755f51c6f88714ed
                                        • Instruction ID: b096bc86ba864612ff9517eb3426bb62fdbabd3197fa0609e0b01965efd9059f
                                        • Opcode Fuzzy Hash: b2e8c66e4447142a6573351cb92c49fe37e514ae68132dc9755f51c6f88714ed
                                        • Instruction Fuzzy Hash: 4341E4746083518FDB24DF18C484B1ABBE0EF55318F19889CE8998B762D376E885CB62
                                        Function 00D27CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 38e7d15e5132be21b870738e1665a70c02cbf5fd8b91a308b87757b1efea3b30
                                        • Instruction ID: fd039baba545c402319c5c196725ed3703bcadf2a01bed2ea79c118ac1533732
                                        • Opcode Fuzzy Hash: 38e7d15e5132be21b870738e1665a70c02cbf5fd8b91a308b87757b1efea3b30
                                        • Instruction Fuzzy Hash: E421FE31604A09EBDF204F29FC42B797BB8FF60351F25846AE886C9191EB30D0949771
                                        Function 00D24F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D24D13: FreeLibrary.KERNEL32(00000000,?), ref: 00D24D4D
                                          • Part of subcall function 00D4548B: __wfsopen.LIBCMT ref: 00D45496
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00DE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D24F6F
                                          • Part of subcall function 00D24CC8: FreeLibrary.KERNEL32(00000000), ref: 00D24D02
                                          • Part of subcall function 00D24DD0: _memmove.LIBCMT ref: 00D24E1A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Library$Free$Load__wfsopen_memmove
                                        • String ID:
                                        • API String ID: 1396898556-0
                                        • Opcode ID: 161503acba2608360dd29a648dbf6cf29a5473cdb400cdfd0b46409d7a544d52
                                        • Instruction ID: 0b4f46f234bd772735b69952317cdab5c7c83241f6ba70057cbdec68fb4b0f40
                                        • Opcode Fuzzy Hash: 161503acba2608360dd29a648dbf6cf29a5473cdb400cdfd0b46409d7a544d52
                                        • Instruction Fuzzy Hash: 2811E731600325ABCF20BF74ED12FAE77A5DFD0705F208469FD81AA1C1DA719A059B70
                                        Function 00D601AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 5a20ef1c2411fa6a073d6d3310d15f5a98ff6e288623c9e07dbf0773ad5e8c4e
                                        • Instruction ID: 34a2379b4c6fffd12c19aaf8f4712f17fd8ba59c2e01550e6655b88d7e67305d
                                        • Opcode Fuzzy Hash: 5a20ef1c2411fa6a073d6d3310d15f5a98ff6e288623c9e07dbf0773ad5e8c4e
                                        • Instruction Fuzzy Hash: C2211374608351CFCB24DF68D445A1ABBE0FF99318F098968F88A87721D731E845CB62
                                        Function 00D44A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • __lock_file.LIBCMT ref: 00D44AD6
                                          • Part of subcall function 00D48D68: __getptd_noexit.LIBCMT ref: 00D48D68
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __getptd_noexit__lock_file
                                        • String ID:
                                        • API String ID: 2597487223-0
                                        • Opcode ID: e31ced0c8f37ea7f6f3c90c44fcdf794d900f3b2345e5f1ec52ddad95d71face
                                        • Instruction ID: 4084d4c8891902eef7dda48ee0e23b8de892f4e232d60db7918287f4dc1205c6
                                        • Opcode Fuzzy Hash: e31ced0c8f37ea7f6f3c90c44fcdf794d900f3b2345e5f1ec52ddad95d71face
                                        • Instruction Fuzzy Hash: 28F0AF31940209AFDF61AF64CC0639E36A1EF00369F098519B424AB1D1CB788A90EF71
                                        Function 00D24FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,?,00DE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D24FDE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: ebc5862c4f78b39d9716e581e5a2edd33462b79f7fee69b9fed9fe47ccc4ce75
                                        • Instruction ID: 466c42def5a78498a22c7add461932f5d56b1be55420557efb80c35554c4350b
                                        • Opcode Fuzzy Hash: ebc5862c4f78b39d9716e581e5a2edd33462b79f7fee69b9fed9fe47ccc4ce75
                                        • Instruction Fuzzy Hash: 0DF03971105722CFCB349F64F694822BBE1FF643293248A7EE9D682A10C732A844DF70
                                        Function 00D409D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D409F4
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: LongNamePath_memmove
                                        • String ID:
                                        • API String ID: 2514874351-0
                                        • Opcode ID: 40f37fdefc50734e53e83bc9926dd2959db825c3a6e5e17999d445452c9f3015
                                        • Instruction ID: df333bd40503c5bcce4526cc2628695d1bf852ef7e6e9d81ec24f44cc3c90577
                                        • Opcode Fuzzy Hash: 40f37fdefc50734e53e83bc9926dd2959db825c3a6e5e17999d445452c9f3015
                                        • Instruction Fuzzy Hash: B0E0863690522857C720D6989C05FFA77ADDF89691F0401B5FC4CD7205D9609C8186B0
                                        Function 00D89129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID:
                                        • API String ID: 2638373210-0
                                        • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                        • Instruction ID: 59917afe3cf631cc2e2f4f22481b71599c0836f36445bef37213ba517de6b3fc
                                        • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                        • Instruction Fuzzy Hash: 59E092B0118B005FD7349A24D8147E3B3E0EB06315F04081CF2DA83342EF6378418769
                                        Function 01228718 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?), ref: 01228723
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                        • Instruction ID: ed3c2dabede1bf28499fd358fbc69bc3e663d6f4288fb42ba578290195bec4c7
                                        • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                        • Instruction Fuzzy Hash: 3BE08C38936218FBDB68CAA89905AAD73F8AB04320F008664EA06C7280D570CA20E658
                                        Function 012286E8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?), ref: 012286F3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                        • Instruction ID: 293e408bf27089128df13cd12d2fd7af907fc8eb56a734079eb81574584891c5
                                        • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                        • Instruction Fuzzy Hash: E9D05E3492520CABCB10CAA89D0899D77E89705320F004754E91583280D53199109750
                                        Function 00D4548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __wfsopen
                                        • String ID:
                                        • API String ID: 197181222-0
                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                        • Instruction ID: fcd819953ff53b6fdfefcfe00bfa42affa10e5e9af335c05226194cbbb050b28
                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                        • Instruction Fuzzy Hash: EAB0927684020C77DE012E82FC02A593B199B40678F808020FB0C1C162A673AAA096A9
                                        Function 0122A104 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000001F4), ref: 0122A119
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                        • Instruction ID: 701c0b62aed968d15d1024802980c50725b5cecdfc4ebce95f545f1741bfef63
                                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                        • Instruction Fuzzy Hash: 58E0BF7494110DEFDB00DFA4D5496DD7BB4EF04312F1005A1FD05D7680DB309E548A62
                                        Function 0122A108 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000001F4), ref: 0122A119
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction ID: 444d920b30ecef5e6a72962936d409bd03871c2c1bda939f9ae59e9d77c3d512
                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction Fuzzy Hash: 2FE0E67494110DEFDB00DFB4D54969D7BB4EF04302F100161FD01D2680D6309D508A62

                                        Non-executed Functions

                                        Function 00DACDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00DACE50
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DACE91
                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00DACED6
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DACF00
                                        • SendMessageW.USER32 ref: 00DACF29
                                        • _wcsncpy.LIBCMT ref: 00DACFA1
                                        • GetKeyState.USER32(00000011), ref: 00DACFC2
                                        • GetKeyState.USER32(00000009), ref: 00DACFCF
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DACFE5
                                        • GetKeyState.USER32(00000010), ref: 00DACFEF
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DAD018
                                        • SendMessageW.USER32 ref: 00DAD03F
                                        • SendMessageW.USER32(?,00001030,?,00DAB602), ref: 00DAD145
                                        • SetCapture.USER32(?), ref: 00DAD177
                                        • ClientToScreen.USER32(?,?), ref: 00DAD1DC
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DAD203
                                        • ReleaseCapture.USER32 ref: 00DAD20E
                                        • GetCursorPos.USER32(?), ref: 00DAD248
                                        • ScreenToClient.USER32(?,?), ref: 00DAD255
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00DAD2B1
                                        • SendMessageW.USER32 ref: 00DAD2DF
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00DAD31C
                                        • SendMessageW.USER32 ref: 00DAD34B
                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00DAD36C
                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00DAD37B
                                        • GetCursorPos.USER32(?), ref: 00DAD39B
                                        • ScreenToClient.USER32(?,?), ref: 00DAD3A8
                                        • GetParent.USER32(?), ref: 00DAD3C8
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00DAD431
                                        • SendMessageW.USER32 ref: 00DAD462
                                        • ClientToScreen.USER32(?,?), ref: 00DAD4C0
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00DAD4F0
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00DAD51A
                                        • SendMessageW.USER32 ref: 00DAD53D
                                        • ClientToScreen.USER32(?,?), ref: 00DAD58F
                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00DAD5C3
                                          • Part of subcall function 00D225DB: GetWindowLongW.USER32(?,000000EB), ref: 00D225EC
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00DAD65F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                        • String ID: @GUI_DRAGID$F
                                        • API String ID: 302779176-4164748364
                                        • Opcode ID: d38a6c253566195b5971f2eb9f42d9f79582a33d9d2a4677ff05dc2ea8157146
                                        • Instruction ID: 4c7e8820cf365e4b3b515b63007e80df89d6cd42c1d162c8d0d0d300375be7c6
                                        • Opcode Fuzzy Hash: d38a6c253566195b5971f2eb9f42d9f79582a33d9d2a4677ff05dc2ea8157146
                                        • Instruction Fuzzy Hash: 0A429C30204341EFD725DF68C884BAABBE6FF4A364F180559F696876A0C771D950CBB2
                                        Function 00DA804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00DA873F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: %d/%02d/%02d
                                        • API String ID: 3850602802-328681919
                                        • Opcode ID: 717708b19b82c08199b223924c1e78995460ceaa128f29907cc52de0f20d9bc1
                                        • Instruction ID: ad59ca1bafbd2e6fa4734e2941fc9c93669884a72555550bac7c5118d5dc704f
                                        • Opcode Fuzzy Hash: 717708b19b82c08199b223924c1e78995460ceaa128f29907cc52de0f20d9bc1
                                        • Instruction Fuzzy Hash: F212D071500348AFEB259F64CC49FAA7BB8EF4A710F284169F915EA2E1DF708941DB70
                                        Function 00D3710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove$_memset
                                        • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                        • API String ID: 1357608183-1798697756
                                        • Opcode ID: 5670908fcff886881a9f5504346b77308e12e08b9662786a36655321a71c498c
                                        • Instruction ID: 5093d23a2560616adfcea8a706e3e3e06f942b6139a27276a165e977a62adf7f
                                        • Opcode Fuzzy Hash: 5670908fcff886881a9f5504346b77308e12e08b9662786a36655321a71c498c
                                        • Instruction Fuzzy Hash: A0939175A00215DFDB24CF58C881BADB7B1FF48710F29816AE959EB381E7709E81DB60
                                        Function 00D24A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(00000000,?), ref: 00D24A3D
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D5DA8E
                                        • IsIconic.USER32(?), ref: 00D5DA97
                                        • ShowWindow.USER32(?,00000009), ref: 00D5DAA4
                                        • SetForegroundWindow.USER32(?), ref: 00D5DAAE
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D5DAC4
                                        • GetCurrentThreadId.KERNEL32 ref: 00D5DACB
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D5DAD7
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D5DAE8
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D5DAF0
                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 00D5DAF8
                                        • SetForegroundWindow.USER32(?), ref: 00D5DAFB
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D5DB10
                                        • keybd_event.USER32(00000012,00000000), ref: 00D5DB1B
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D5DB25
                                        • keybd_event.USER32(00000012,00000000), ref: 00D5DB2A
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D5DB33
                                        • keybd_event.USER32(00000012,00000000), ref: 00D5DB38
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D5DB42
                                        • keybd_event.USER32(00000012,00000000), ref: 00D5DB47
                                        • SetForegroundWindow.USER32(?), ref: 00D5DB4A
                                        • AttachThreadInput.USER32(?,?,00000000), ref: 00D5DB71
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 4125248594-2988720461
                                        • Opcode ID: 20500cf68c0946d891b66863cd557e02acb6aa645d6e23421d893762114b6105
                                        • Instruction ID: cbb2e86eeec73552ccb5575b90ce46ebefd83bf91357be4d48476e866765ecbb
                                        • Opcode Fuzzy Hash: 20500cf68c0946d891b66863cd557e02acb6aa645d6e23421d893762114b6105
                                        • Instruction Fuzzy Hash: 7F315071A80318BBEF316FA19C49F7F3E6DEB45B51F154065FE04EA2D0D6B05900AAB0
                                        Function 00D78858 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 224COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D78CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D78D0D
                                          • Part of subcall function 00D78CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D78D3A
                                          • Part of subcall function 00D78CC3: GetLastError.KERNEL32 ref: 00D78D47
                                        • _memset.LIBCMT ref: 00D7889B
                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D788ED
                                        • CloseHandle.KERNEL32(?), ref: 00D788FE
                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D78915
                                        • GetProcessWindowStation.USER32 ref: 00D7892E
                                        • SetProcessWindowStation.USER32(00000000), ref: 00D78938
                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D78952
                                          • Part of subcall function 00D78713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D78851), ref: 00D78728
                                          • Part of subcall function 00D78713: CloseHandle.KERNEL32(?,?,00D78851), ref: 00D7873A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                        • String ID: $default$winsta0$winsta0\default
                                        • API String ID: 2063423040-1685893292
                                        • Opcode ID: 0f3fcb6b561566ce910e63cbeafd3ceaa8cc82f9d51a3de7ec683b46dfd56950
                                        • Instruction ID: 26a6862a54fb34fddf3cc9ad5f2abc1cb4d4c26268867106bcc533b0af3b8e2a
                                        • Opcode Fuzzy Hash: 0f3fcb6b561566ce910e63cbeafd3ceaa8cc82f9d51a3de7ec683b46dfd56950
                                        • Instruction Fuzzy Hash: EF814071940209BFDF11DFA4DC49AEE7B78EF05304F18816AF918A6261EB318E15EB70
                                        Function 00D9425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(00DAF910), ref: 00D94284
                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00D94292
                                        • GetClipboardData.USER32(0000000D), ref: 00D9429A
                                        • CloseClipboard.USER32 ref: 00D942A6
                                        • GlobalLock.KERNEL32(00000000), ref: 00D942C2
                                        • CloseClipboard.USER32 ref: 00D942CC
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00D942E1
                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00D942EE
                                        • GetClipboardData.USER32(00000001), ref: 00D942F6
                                        • GlobalLock.KERNEL32(00000000), ref: 00D94303
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00D94337
                                        • CloseClipboard.USER32 ref: 00D94447
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                        • String ID:
                                        • API String ID: 3222323430-0
                                        • Opcode ID: 65c79e520dae9cc59c9faea245d509a02d88fb5696f47af4c7cf838fd3eeb7fc
                                        • Instruction ID: 0e2aceb16d154a6b9ecbbc1c3703ca3668f785c93c1edcc8f4a877752c8231c2
                                        • Opcode Fuzzy Hash: 65c79e520dae9cc59c9faea245d509a02d88fb5696f47af4c7cf838fd3eeb7fc
                                        • Instruction Fuzzy Hash: 4851A331204301AFDB10BFA0EC96F6E77A8EF95B00F144569F595D22A2DF70D9058B76
                                        Function 00D8C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00D8C9F8
                                        • FindClose.KERNEL32(00000000), ref: 00D8CA4C
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D8CA71
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D8CA88
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D8CAAF
                                        • __swprintf.LIBCMT ref: 00D8CAFB
                                        • __swprintf.LIBCMT ref: 00D8CB3E
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                        • __swprintf.LIBCMT ref: 00D8CB92
                                          • Part of subcall function 00D438D8: __woutput_l.LIBCMT ref: 00D43931
                                        • __swprintf.LIBCMT ref: 00D8CBE0
                                          • Part of subcall function 00D438D8: __flsbuf.LIBCMT ref: 00D43953
                                          • Part of subcall function 00D438D8: __flsbuf.LIBCMT ref: 00D4396B
                                        • __swprintf.LIBCMT ref: 00D8CC2F
                                        • __swprintf.LIBCMT ref: 00D8CC7E
                                        • __swprintf.LIBCMT ref: 00D8CCCD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                        • API String ID: 3953360268-2428617273
                                        • Opcode ID: 3dd62f6d7bee4d3a4af42da9587af13ae78daf65db6c293d16bc5c749d7ef7ca
                                        • Instruction ID: 8c69c4f8bdb3a6c293104c7f32bfa3a12b24ecd39935cc2c5aaffacbf9b1d2ad
                                        • Opcode Fuzzy Hash: 3dd62f6d7bee4d3a4af42da9587af13ae78daf65db6c293d16bc5c749d7ef7ca
                                        • Instruction Fuzzy Hash: B5A14EB2508314ABC710FBA4D996DAFB7ECEF94704F404919F586D6191EA34EA08CB72
                                        Function 00D8F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00D8F221
                                        • _wcscmp.LIBCMT ref: 00D8F236
                                        • _wcscmp.LIBCMT ref: 00D8F24D
                                        • GetFileAttributesW.KERNEL32(?), ref: 00D8F25F
                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00D8F279
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00D8F291
                                        • FindClose.KERNEL32(00000000), ref: 00D8F29C
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00D8F2B8
                                        • _wcscmp.LIBCMT ref: 00D8F2DF
                                        • _wcscmp.LIBCMT ref: 00D8F2F6
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00D8F308
                                        • SetCurrentDirectoryW.KERNEL32(00DDA5A0), ref: 00D8F326
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D8F330
                                        • FindClose.KERNEL32(00000000), ref: 00D8F33D
                                        • FindClose.KERNEL32(00000000), ref: 00D8F34F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                        • String ID: *.*
                                        • API String ID: 1803514871-438819550
                                        • Opcode ID: f2e7aee218f7d939a643b36df08b841f5250414a7c25a620a61bf41848f791a6
                                        • Instruction ID: 267f35521ffe2e48b2c43dcaf9155dd05647d8b020791b8a428b0e382a224008
                                        • Opcode Fuzzy Hash: f2e7aee218f7d939a643b36df08b841f5250414a7c25a620a61bf41848f791a6
                                        • Instruction Fuzzy Hash: 8A31A0766002196FDB20EBB4EC49BDE77ACEF49361F1441B6E854D31A0EB30DA458B78
                                        Function 00DA0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA0BDE
                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00DAF910,00000000,?,00000000,?,?), ref: 00DA0C4C
                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00DA0C94
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00DA0D1D
                                        • RegCloseKey.ADVAPI32(?), ref: 00DA103D
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00DA104A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Close$ConnectCreateRegistryValue
                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                        • API String ID: 536824911-966354055
                                        • Opcode ID: c8e18396ca7ad333048c197f6c58ec151bf42e6477bba9fdfd35ae0afc64c747
                                        • Instruction ID: ced53412d25be81f56673f7b36185dc65c19bb38c16f0435db0ab4f931013a68
                                        • Opcode Fuzzy Hash: c8e18396ca7ad333048c197f6c58ec151bf42e6477bba9fdfd35ae0afc64c747
                                        • Instruction Fuzzy Hash: C2028F756046119FDB14EF24D891E2ABBE5FF89724F04885DF8899B361CB31ED40CB61
                                        Function 00DAC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • DragQueryPoint.SHELL32(?,?), ref: 00DAC917
                                          • Part of subcall function 00DAADF1: ClientToScreen.USER32(?,?), ref: 00DAAE1A
                                          • Part of subcall function 00DAADF1: GetWindowRect.USER32(?,?), ref: 00DAAE90
                                          • Part of subcall function 00DAADF1: PtInRect.USER32(?,?,00DAC304), ref: 00DAAEA0
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00DAC980
                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DAC98B
                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DAC9AE
                                        • _wcscat.LIBCMT ref: 00DAC9DE
                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00DAC9F5
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00DACA0E
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00DACA25
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00DACA47
                                        • DragFinish.SHELL32(?), ref: 00DACA4E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00DACB41
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                        • API String ID: 2166380349-3440237614
                                        • Opcode ID: 86ef4d0eb65330dc69dbf9869a14f5f1a2ce3c47bde64a5f3d98943fba4c37d4
                                        • Instruction ID: 52cd5a269baff401d6709058ecf86d14cb57fd7601779e53ea23fe315294d723
                                        • Opcode Fuzzy Hash: 86ef4d0eb65330dc69dbf9869a14f5f1a2ce3c47bde64a5f3d98943fba4c37d4
                                        • Instruction Fuzzy Hash: 4D617B71108310AFC711EF64DC85D9FBBE8EF99714F040A2EF591962A1DB709A09CBB2
                                        Function 00D8F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00D8F37E
                                        • _wcscmp.LIBCMT ref: 00D8F393
                                        • _wcscmp.LIBCMT ref: 00D8F3AA
                                          • Part of subcall function 00D845C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D845DC
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00D8F3D9
                                        • FindClose.KERNEL32(00000000), ref: 00D8F3E4
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00D8F400
                                        • _wcscmp.LIBCMT ref: 00D8F427
                                        • _wcscmp.LIBCMT ref: 00D8F43E
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00D8F450
                                        • SetCurrentDirectoryW.KERNEL32(00DDA5A0), ref: 00D8F46E
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D8F478
                                        • FindClose.KERNEL32(00000000), ref: 00D8F485
                                        • FindClose.KERNEL32(00000000), ref: 00D8F497
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                        • String ID: *.*
                                        • API String ID: 1824444939-438819550
                                        • Opcode ID: 42f494eecd4f31e2e9b3bf70f6068d3c9a183ef44113775532145095d75453e0
                                        • Instruction ID: aadd6c2cad6fe252e9ed8a37c879cd142dfd0c8cc3e953cd796c9f9147c11db1
                                        • Opcode Fuzzy Hash: 42f494eecd4f31e2e9b3bf70f6068d3c9a183ef44113775532145095d75453e0
                                        • Instruction Fuzzy Hash: 4C3195715012196FCF10BBA8EC88ADE77AC9F49365F1442B6E890E31A1D771DE48CB74
                                        Function 00DAC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DAC4EC
                                        • GetFocus.USER32 ref: 00DAC4FC
                                        • GetDlgCtrlID.USER32(00000000), ref: 00DAC507
                                        • _memset.LIBCMT ref: 00DAC632
                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00DAC65D
                                        • GetMenuItemCount.USER32(?), ref: 00DAC67D
                                        • GetMenuItemID.USER32(?,00000000), ref: 00DAC690
                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00DAC6C4
                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00DAC70C
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DAC744
                                        • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00DAC779
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                        • String ID: 0
                                        • API String ID: 3616455698-4108050209
                                        • Opcode ID: 99c7f0fa2d192c49e3b581df4cf65e674f7e850804ab7e712d568afd395a942d
                                        • Instruction ID: ccb4871dedb9dd75d999b5155e20d1947a1054baa20e7134b6265afa5db6cfee
                                        • Opcode Fuzzy Hash: 99c7f0fa2d192c49e3b581df4cf65e674f7e850804ab7e712d568afd395a942d
                                        • Instruction Fuzzy Hash: 9081AD70618301AFD720DF24C884A6BBBE8FB8A364F08192DF99597291D770D905CFB2
                                        Function 00D781F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D7874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D78766
                                          • Part of subcall function 00D7874A: GetLastError.KERNEL32(?,00D7822A,?,?,?), ref: 00D78770
                                          • Part of subcall function 00D7874A: GetProcessHeap.KERNEL32(00000008,?,?,00D7822A,?,?,?), ref: 00D7877F
                                          • Part of subcall function 00D7874A: RtlAllocateHeap.NTDLL(00000000,?,00D7822A), ref: 00D78786
                                          • Part of subcall function 00D7874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D7879D
                                          • Part of subcall function 00D787E7: GetProcessHeap.KERNEL32(00000008,00D78240,00000000,00000000,?,00D78240,?), ref: 00D787F3
                                          • Part of subcall function 00D787E7: RtlAllocateHeap.NTDLL(00000000,?,00D78240), ref: 00D787FA
                                          • Part of subcall function 00D787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D78240,?), ref: 00D7880B
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D7825B
                                        • _memset.LIBCMT ref: 00D78270
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D7828F
                                        • GetLengthSid.ADVAPI32(?), ref: 00D782A0
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00D782DD
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D782F9
                                        • GetLengthSid.ADVAPI32(?), ref: 00D78316
                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D78325
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00D7832C
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D7834D
                                        • CopySid.ADVAPI32(00000000), ref: 00D78354
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D78385
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D783AB
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D783BF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                        • String ID:
                                        • API String ID: 2347767575-0
                                        • Opcode ID: f13ba6aa4a0646d4c3d4e3631903edee2ac8762288c183b26dbcf0deffd4ec16
                                        • Instruction ID: fe62cbe7861f475238f9b55ed8ebcc83e4ab43d4aaf7ec20714c2992913aeea5
                                        • Opcode Fuzzy Hash: f13ba6aa4a0646d4c3d4e3631903edee2ac8762288c183b26dbcf0deffd4ec16
                                        • Instruction Fuzzy Hash: 3B613C71940209ABDF109F94DC49AAEBBB9FF05700F14816AE819E7291EB359A05DB70
                                        Function 00D36843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                        • API String ID: 0-4052911093
                                        • Opcode ID: 39a13e77a1c0cc4fe9a182298713e1abdf8cbb85cbaa2474783f55dc0c634af1
                                        • Instruction ID: 53062e43eea58f3003f1f69c14d11cf186b98e9a5e3805ade4d2c7fcfc684281
                                        • Opcode Fuzzy Hash: 39a13e77a1c0cc4fe9a182298713e1abdf8cbb85cbaa2474783f55dc0c634af1
                                        • Instruction Fuzzy Hash: F1724F75E00219DBDB24CF59D8907AEB7B5EF48710F18816AE949EB290E770D981CBB0
                                        Function 00DA0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00DA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA0038,?,?), ref: 00DA10BC
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA0737
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00DA07D6
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00DA086E
                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00DA0AAD
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00DA0ABA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                        • String ID:
                                        • API String ID: 1240663315-0
                                        • Opcode ID: d5457ac86ffb7bf01858b35ed07314dd78a9b579e2d15f33f86d5c1ad86ac714
                                        • Instruction ID: 5609f34e3a4dd58e2317510a57a357158e3068133a4ab05fe5776ea94ef1b7ac
                                        • Opcode Fuzzy Hash: d5457ac86ffb7bf01858b35ed07314dd78a9b579e2d15f33f86d5c1ad86ac714
                                        • Instruction Fuzzy Hash: 38E13E71604310AFCB14DF24C895E6ABBE4EF89714F08896DF48ADB2A1DB31ED45CB61
                                        Function 00D80219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 00D80241
                                        • GetAsyncKeyState.USER32(000000A0), ref: 00D802C2
                                        • GetKeyState.USER32(000000A0), ref: 00D802DD
                                        • GetAsyncKeyState.USER32(000000A1), ref: 00D802F7
                                        • GetKeyState.USER32(000000A1), ref: 00D8030C
                                        • GetAsyncKeyState.USER32(00000011), ref: 00D80324
                                        • GetKeyState.USER32(00000011), ref: 00D80336
                                        • GetAsyncKeyState.USER32(00000012), ref: 00D8034E
                                        • GetKeyState.USER32(00000012), ref: 00D80360
                                        • GetAsyncKeyState.USER32(0000005B), ref: 00D80378
                                        • GetKeyState.USER32(0000005B), ref: 00D8038A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 51522491420ed2b0867bb1c85b6697a7ac84c12cf62a6f5cd1e859c4e635ec95
                                        • Instruction ID: c8a793292691fe3975851fc986d411724a0bc3fbdb5e2ba9152b02b10b88e14e
                                        • Opcode Fuzzy Hash: 51522491420ed2b0867bb1c85b6697a7ac84c12cf62a6f5cd1e859c4e635ec95
                                        • Instruction Fuzzy Hash: D0417524904BC96EFFB1BBA488087B5BEA06B16344F0C409DD5C6566C2EBD49DCC87B6
                                        Function 00D986D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                        • CoInitialize.OLE32 ref: 00D98718
                                        • CoUninitialize.COMBASE ref: 00D98723
                                        • CoCreateInstance.COMBASE(?,00000000,00000017,00DB2BEC,?), ref: 00D98783
                                        • IIDFromString.COMBASE(?,?), ref: 00D987F6
                                        • VariantInit.OLEAUT32(?), ref: 00D98890
                                        • VariantClear.OLEAUT32(?), ref: 00D988F1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                        • API String ID: 834269672-1287834457
                                        • Opcode ID: 8d68f36870544e5fdf11c8464728f2169f9a9773607d092787cc03fdd7b8b588
                                        • Instruction ID: 5820c5379b853d2034b5701ad847e51f8717ca5703479d2896b8c8b214076955
                                        • Opcode Fuzzy Hash: 8d68f36870544e5fdf11c8464728f2169f9a9773607d092787cc03fdd7b8b588
                                        • Instruction Fuzzy Hash: 2661E0706083119FDB10DF64D848B6ABBE8EF4AB14F14495DF8859B291CB70ED48DBB2
                                        Function 00D94458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                        • String ID:
                                        • API String ID: 1737998785-0
                                        • Opcode ID: 7329561377c95823f7770493949e0540e8773115813c7506321d78617f1ef924
                                        • Instruction ID: ddf9cde8c2908754227370fa6f2896e8309e32ac0a3c26ffc1d17169d8a9cab3
                                        • Opcode Fuzzy Hash: 7329561377c95823f7770493949e0540e8773115813c7506321d78617f1ef924
                                        • Instruction Fuzzy Hash: 27217E356007209FDB10AFA0EC59F697BA8EF15715F148056F946DB362DB70E801CB74
                                        Function 00D83A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D248A1,?,?,00D237C0,?), ref: 00D248CE
                                          • Part of subcall function 00D84CD3: GetFileAttributesW.KERNEL32(?,00D83947), ref: 00D84CD4
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00D83ADF
                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00D83B87
                                        • MoveFileW.KERNEL32(?,?), ref: 00D83B9A
                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00D83BB7
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D83BD9
                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00D83BF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 4002782344-1173974218
                                        • Opcode ID: 0689a0bd836ff352e623a0e4cedbe6b73461e09867633047728d9682ca27b8a6
                                        • Instruction ID: 322a878a61d88f17e6b95a2e629eba191f2f84892c072119143fd5a717ff14f9
                                        • Opcode Fuzzy Hash: 0689a0bd836ff352e623a0e4cedbe6b73461e09867633047728d9682ca27b8a6
                                        • Instruction Fuzzy Hash: F8516D31805259AACF15FBA0ED929EDB778EF24304F6441A9E446B7191EF306F09CBB0
                                        Function 00D8F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00D8F6AB
                                        • Sleep.KERNEL32(0000000A), ref: 00D8F6DB
                                        • _wcscmp.LIBCMT ref: 00D8F6EF
                                        • _wcscmp.LIBCMT ref: 00D8F70A
                                        • FindNextFileW.KERNEL32(?,?), ref: 00D8F7A8
                                        • FindClose.KERNEL32(00000000), ref: 00D8F7BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                        • String ID: *.*
                                        • API String ID: 713712311-438819550
                                        • Opcode ID: 8b455d1f8d4a3edaa683fafbe6f0645179e28d5b226c8f9108c4dfd1a00e4424
                                        • Instruction ID: 655a72bf92d443b753cca06de56b628967a3111f8ba030941a06d81cb24dee7a
                                        • Opcode Fuzzy Hash: 8b455d1f8d4a3edaa683fafbe6f0645179e28d5b226c8f9108c4dfd1a00e4424
                                        • Instruction Fuzzy Hash: 3741727190021A9FDF15EFA4DC45AEEBBB4FF15310F144566E855A3290EB309E54CBB0
                                        Function 00DAD74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • GetSystemMetrics.USER32(0000000F), ref: 00DAD78A
                                        • GetSystemMetrics.USER32(0000000F), ref: 00DAD7AA
                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00DAD9E5
                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00DADA03
                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00DADA24
                                        • ShowWindow.USER32(00000003,00000000), ref: 00DADA43
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00DADA68
                                        • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00DADA8B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                        • String ID:
                                        • API String ID: 830902736-0
                                        • Opcode ID: 3a2e3c22df3209aa668e1c8e852cf9a814d473d177be1324eed3e8380cef8949
                                        • Instruction ID: 67c5876525694f14df09e18f5b963b57152cb3c5b74656a500f70df0ea8b3aa5
                                        • Opcode Fuzzy Hash: 3a2e3c22df3209aa668e1c8e852cf9a814d473d177be1324eed3e8380cef8949
                                        • Instruction Fuzzy Hash: 8BB17A71600215EFDF18CF68C9C57BE7BB2FF46701F088169EC8A9A695D734A950CBA0
                                        Function 00D34140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                        • API String ID: 0-1546025612
                                        • Opcode ID: efcfc483b9572ead1d6a9e21120b1b957e8dbed2ad8f9d2394bcdc7e1e3de204
                                        • Instruction ID: 48b98a47701e48a0506fb64ca4f04c424c9c2db39388a5c594e76418159ce12e
                                        • Opcode Fuzzy Hash: efcfc483b9572ead1d6a9e21120b1b957e8dbed2ad8f9d2394bcdc7e1e3de204
                                        • Instruction Fuzzy Hash: 40A2B170E0421ACBDF24CF58C9407ADB7B1FF55314F1885AAD856A7280E778AE85DFA0
                                        Function 00D7EB07 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D7EB19
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
                                        • API String ID: 1659193697-2318614619
                                        • Opcode ID: db819e157bee6df91231d62c76014a812cbc1a0a3c20353b87d64e77e4a764fb
                                        • Instruction ID: 6d3d8e6d6c60e3d50d6cee0a6e2e4f8bc34c753a769a3aa8d7e4a06b21669a73
                                        • Opcode Fuzzy Hash: db819e157bee6df91231d62c76014a812cbc1a0a3c20353b87d64e77e4a764fb
                                        • Instruction Fuzzy Hash: 12322575A006059FD728CF29C481A6AF7F1FF48320B15C5AEE89ADB7A1E770E941CB50
                                        Function 00D358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: dee2db05ef050dba81937b1ddc15b62c50e7655bdb21a675dd7883bffb60deb3
                                        • Instruction ID: 47dc313359445b782df54190cd797116f166c82195e1b42232b5352a95402af2
                                        • Opcode Fuzzy Hash: dee2db05ef050dba81937b1ddc15b62c50e7655bdb21a675dd7883bffb60deb3
                                        • Instruction Fuzzy Hash: 30128970A00609DBDF14DFA4E981AAEB7F5FF48300F148569E446E7295EB35AA11CB70
                                        Function 00DAC27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                          • Part of subcall function 00D22344: GetCursorPos.USER32(?), ref: 00D22357
                                          • Part of subcall function 00D22344: ScreenToClient.USER32(00DE67B0,?), ref: 00D22374
                                          • Part of subcall function 00D22344: GetAsyncKeyState.USER32(00000001), ref: 00D22399
                                          • Part of subcall function 00D22344: GetAsyncKeyState.USER32(00000002), ref: 00D223A7
                                        • ReleaseCapture.USER32 ref: 00DAC2F0
                                        • SetWindowTextW.USER32(?,00000000), ref: 00DAC39A
                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00DAC3AD
                                        • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00DAC48F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                        • API String ID: 973565025-2107944366
                                        • Opcode ID: 5a437ca7f0316cb35bc5ef1903e6cf58afaeefdbce3f1292fe1641f9a9ceedc1
                                        • Instruction ID: bfdae7814b7d50439553cb8c8f7ffba9a161c2d14c5f48aef8e8f60b9eb8f0ad
                                        • Opcode Fuzzy Hash: 5a437ca7f0316cb35bc5ef1903e6cf58afaeefdbce3f1292fe1641f9a9ceedc1
                                        • Instruction Fuzzy Hash: BF51AB71204304AFDB10EF24D896F6A7BE5EB99314F04492DF9918B2E1DB70E948DB72
                                        Function 00D8545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D78CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D78D0D
                                          • Part of subcall function 00D78CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D78D3A
                                          • Part of subcall function 00D78CC3: GetLastError.KERNEL32 ref: 00D78D47
                                        • ExitWindowsEx.USER32(?,00000000), ref: 00D8549B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                        • String ID: $@$SeShutdownPrivilege
                                        • API String ID: 2234035333-194228
                                        • Opcode ID: d5285c1ef765a9f7a034f576c333fde6bae6ad54705920e36d2e5afa5a47620e
                                        • Instruction ID: 905355c06ee96007c7a97f0881b2260631056e0c4bc3b61f4532917bc189ad49
                                        • Opcode Fuzzy Hash: d5285c1ef765a9f7a034f576c333fde6bae6ad54705920e36d2e5afa5a47620e
                                        • Instruction Fuzzy Hash: 39014731694B016AE72873BCFC4ABBA7258EB01743F280021FC4BD21C6DA608C8083B0
                                        Function 00D96596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(00000002,00000001,00000006), ref: 00D965EF
                                        • WSAGetLastError.WS2_32(00000000), ref: 00D965FE
                                        • bind.WS2_32(00000000,?,00000010), ref: 00D9661A
                                        • listen.WS2_32(00000000,00000005), ref: 00D96629
                                        • WSAGetLastError.WS2_32(00000000), ref: 00D96643
                                        • closesocket.WS2_32(00000000), ref: 00D96657
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                        • String ID:
                                        • API String ID: 1279440585-0
                                        • Opcode ID: 6ebf82baac39004f699f43f9091f0b83e8c98cfd1e6411bf9ad200667a7f74c2
                                        • Instruction ID: bfc9efba99fc639ad8ced96d7cdea418ed0123f34872d86a589f2135bf1eed09
                                        • Opcode Fuzzy Hash: 6ebf82baac39004f699f43f9091f0b83e8c98cfd1e6411bf9ad200667a7f74c2
                                        • Instruction Fuzzy Hash: 41218B30600210AFDB10AF64D889B6EB7A9EF49724F1481A9E95AE7391DB70ED01CB71
                                        Function 00D35680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D40FF6: std::exception::exception.LIBCMT ref: 00D4102C
                                          • Part of subcall function 00D40FF6: __CxxThrowException@8.LIBCMT ref: 00D41041
                                        • _memmove.LIBCMT ref: 00D7062F
                                        • _memmove.LIBCMT ref: 00D70744
                                        • _memmove.LIBCMT ref: 00D707EB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                        • String ID:
                                        • API String ID: 1300846289-0
                                        • Opcode ID: 44d2e75c0f17a7b763b400b51907865e676c3ebda6c10fdb4c46f918d328bec6
                                        • Instruction ID: 52062b1f84556354f14b9c83c5841d5ade0e4cadd46424372e1515a02140e65a
                                        • Opcode Fuzzy Hash: 44d2e75c0f17a7b763b400b51907865e676c3ebda6c10fdb4c46f918d328bec6
                                        • Instruction Fuzzy Hash: 2B0280B0A00205DBDF14DF64E981AAEBBB5FF44304F148069E84ADB395EB31DA55CBB1
                                        Function 00D21287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00D219FA
                                        • GetSysColor.USER32(0000000F), ref: 00D21A4E
                                        • SetBkColor.GDI32(?,00000000), ref: 00D21A61
                                          • Part of subcall function 00D21290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00D212D8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ColorDialogNtdllProc_$LongWindow
                                        • String ID:
                                        • API String ID: 591255283-0
                                        • Opcode ID: ba3d7158312a3155a0fcf4e745463104a25e04d19cee426078d13ce7a93ce0cf
                                        • Instruction ID: 8dcb7b6950ae3fbf0ca230652b812e111d3175902bfedf14f1c5a635c82fb587
                                        • Opcode Fuzzy Hash: ba3d7158312a3155a0fcf4e745463104a25e04d19cee426078d13ce7a93ce0cf
                                        • Instruction Fuzzy Hash: 27A18C781015A5BEDB38AB387C85E7F355DDB723AEB18810AFC42D6191CA22CD0292B5
                                        Function 00D96A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D980A0: inet_addr.WS2_32(00000000), ref: 00D980CB
                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00D96AB1
                                        • WSAGetLastError.WS2_32(00000000), ref: 00D96ADA
                                        • bind.WS2_32(00000000,?,00000010), ref: 00D96B13
                                        • WSAGetLastError.WS2_32(00000000), ref: 00D96B20
                                        • closesocket.WS2_32(00000000), ref: 00D96B34
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 99427753-0
                                        • Opcode ID: 3d5f944650c435ef944b3da83b9d359aeb6127154152b421103253605c6d508a
                                        • Instruction ID: 77c8fe45cfa7da7d90dcaf00cca575453cc50f7f8e334dcdbf77e0dda279de9b
                                        • Opcode Fuzzy Hash: 3d5f944650c435ef944b3da83b9d359aeb6127154152b421103253605c6d508a
                                        • Instruction Fuzzy Hash: F941C875B00320AFEB10AF64EC96F6EB7A5DF19714F048058F95AAB3C2DA709D0087B1
                                        Function 00DA55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                        • String ID:
                                        • API String ID: 292994002-0
                                        • Opcode ID: ce31d77673e7166ef7baebda97a99dada17b19a2343c08d4263c426ba649f7fa
                                        • Instruction ID: b63c28380ff94be163c54b044a3da0de7cca890336f40b30cbea9db65de159a6
                                        • Opcode Fuzzy Hash: ce31d77673e7166ef7baebda97a99dada17b19a2343c08d4263c426ba649f7fa
                                        • Instruction Fuzzy Hash: 8711C132B00A216FE7215F66EC44B6FBB99EF56721B8C4029F846D7241CB70D9018AB5
                                        Function 00D33190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __itow__swprintf
                                        • String ID:
                                        • API String ID: 674341424-0
                                        • Opcode ID: 74f146e93657e3602e60ff249a49ed5f2d78cf82fb6c04be50ad30dc5a096fea
                                        • Instruction ID: 394dcbcde7f58bd4ef3185140537ae8ce2ea2b9dc24d5d664aaee04227c10a84
                                        • Opcode Fuzzy Hash: 74f146e93657e3602e60ff249a49ed5f2d78cf82fb6c04be50ad30dc5a096fea
                                        • Instruction Fuzzy Hash: 4C228A716083119FC724DF24C991B6BB7E4EF98718F14491DF89A97291EB30EA44CBB2
                                        Function 00D9F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00D9F151
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00D9F15F
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                        • Process32NextW.KERNEL32(00000000,?), ref: 00D9F21F
                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00D9F22E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                        • String ID:
                                        • API String ID: 2576544623-0
                                        • Opcode ID: 091119775f19e34fcd6522030b98eb6ea3ce42736f8b8877b82659aa1a874625
                                        • Instruction ID: b0f2f91797aac9acb493c155c058295635c983b3e8d2039995dc4b8f6d9b86f5
                                        • Opcode Fuzzy Hash: 091119775f19e34fcd6522030b98eb6ea3ce42736f8b8877b82659aa1a874625
                                        • Instruction Fuzzy Hash: A2514A71508311ABD720EF24EC86A6BB7E8EF98714F14482DF595D7291EB70A904CBB2
                                        Function 00DAC788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • GetCursorPos.USER32(?), ref: 00DAC7C2
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D5BBFB,?,?,?,?,?), ref: 00DAC7D7
                                        • GetCursorPos.USER32(?), ref: 00DAC824
                                        • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D5BBFB,?,?,?), ref: 00DAC85E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                        • String ID:
                                        • API String ID: 1423138444-0
                                        • Opcode ID: 2ea74e5f07d93f233494e5989399166947b6e66ce054fdd404d8e7056b1bdeb1
                                        • Instruction ID: af28c25ffa8a7a5778a3d61b5a7aa4bd8cac3e451dd5676b70f33383aba3d40e
                                        • Opcode Fuzzy Hash: 2ea74e5f07d93f233494e5989399166947b6e66ce054fdd404d8e7056b1bdeb1
                                        • Instruction Fuzzy Hash: 70319439600158EFCB15DFA8C898EEA7BB6FB4A720F0440A9F9458B261D7359D50DFB0
                                        Function 00D840B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00D840D1
                                        • _memset.LIBCMT ref: 00D840F2
                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00D84144
                                        • CloseHandle.KERNEL32(00000000), ref: 00D8414D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                        • String ID:
                                        • API String ID: 1157408455-0
                                        • Opcode ID: 5dd7b1c8d5ea812f0be3a93ea7f0fee565ee01d993b1dabbdadf2db88a62579f
                                        • Instruction ID: 0973faa838961ab993de04b532778fd813cace091c441d772f8673ad89f7644d
                                        • Opcode Fuzzy Hash: 5dd7b1c8d5ea812f0be3a93ea7f0fee565ee01d993b1dabbdadf2db88a62579f
                                        • Instruction Fuzzy Hash: EF11A7759013287AD7309BA5AC4DFABBB7CEF45760F1042EAF908D7280D6744E808BB4
                                        Function 00D21290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00D212D8
                                        • GetClientRect.USER32(?,?), ref: 00D5B84B
                                        • GetCursorPos.USER32(?), ref: 00D5B855
                                        • ScreenToClient.USER32(?,?), ref: 00D5B860
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                        • String ID:
                                        • API String ID: 1010295502-0
                                        • Opcode ID: d0812a03c64cf065bb1866f2754dcc9cf507c3ec3d30e8c72c42f59b5263f892
                                        • Instruction ID: 1a800e8e8853c9c1ffdd275079ceb8dfa5dffacc5ed24c7aae3c1caf3e60726d
                                        • Opcode Fuzzy Hash: d0812a03c64cf065bb1866f2754dcc9cf507c3ec3d30e8c72c42f59b5263f892
                                        • Instruction Fuzzy Hash: CD112B39900129EFCB10EF94E8869AE77B8FF26305F104495F951E7251C730BA518BB9
                                        Function 00D925E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D91AFE,00000000), ref: 00D926D5
                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00D9270C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Internet$AvailableDataFileQueryRead
                                        • String ID:
                                        • API String ID: 599397726-0
                                        • Opcode ID: a0ab6db153901d26737f3f09c737ae904328c9b3cf5550b6999037ed73f489b3
                                        • Instruction ID: 1dd000d5e3dbb9343712ae1c3dd2a293cd90c312c5e95117b6d2f7e75d6ddebb
                                        • Opcode Fuzzy Hash: a0ab6db153901d26737f3f09c737ae904328c9b3cf5550b6999037ed73f489b3
                                        • Instruction Fuzzy Hash: E241E375A00309BFEF20DF94DC85EBBB7BCEB40724F14406AF645A6640EAB1EE419670
                                        Function 00D8B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00D8B5AE
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D8B608
                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00D8B655
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DiskFreeSpace
                                        • String ID:
                                        • API String ID: 1682464887-0
                                        • Opcode ID: 4437677c1aa741797e77d0fceb9d8ba08c780c794ec11d22cb86462a2a180dbc
                                        • Instruction ID: 6afcfaaf6a01dbf1d84fbc42719bb33bcad051edfd66d2047514beee205991fb
                                        • Opcode Fuzzy Hash: 4437677c1aa741797e77d0fceb9d8ba08c780c794ec11d22cb86462a2a180dbc
                                        • Instruction Fuzzy Hash: AF216235A00618EFCB00EFA5D885EADFBB8FF49314F1480AAE845EB351DB319955CB61
                                        Function 00D78CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D40FF6: std::exception::exception.LIBCMT ref: 00D4102C
                                          • Part of subcall function 00D40FF6: __CxxThrowException@8.LIBCMT ref: 00D41041
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D78D0D
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D78D3A
                                        • GetLastError.KERNEL32 ref: 00D78D47
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                        • String ID:
                                        • API String ID: 1922334811-0
                                        • Opcode ID: 5fff03f5b5dfeabcb68712b86c5c5a4bd0e99ba65d4daeef3bc19bcbbfcfa6c0
                                        • Instruction ID: 2150d2c27540a31edd1d43366aa5c5119d03722b28b395de2d51537cea0a02d6
                                        • Opcode Fuzzy Hash: 5fff03f5b5dfeabcb68712b86c5c5a4bd0e99ba65d4daeef3bc19bcbbfcfa6c0
                                        • Instruction Fuzzy Hash: 7A118FB1414309AFD7289F64DC89D6BBBBCEB48711B24856EF45A93241EB30AC408A70
                                        Function 00D84C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D84C2C
                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D84C43
                                        • FreeSid.ADVAPI32(?), ref: 00D84C53
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                        • String ID:
                                        • API String ID: 3429775523-0
                                        • Opcode ID: 0324bc6885327f2646a40ed36a5ed572529afa987c0023e4eb287caf2b9874eb
                                        • Instruction ID: bcb7ddc20fe9876a360ceeee020e3e08ce35fdbc2f93a52021a5ef5aa1bac574
                                        • Opcode Fuzzy Hash: 0324bc6885327f2646a40ed36a5ed572529afa987c0023e4eb287caf2b9874eb
                                        • Instruction Fuzzy Hash: 3FF04975A1130DBFDF04DFF0DC89AAEBBBCEF08201F0044A9A901E2281E6706A048B64
                                        Function 00D2E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70793663d0820a6b6aa07baf54fc0f2341bf8f5d504525afb75e80dbfc8a2486
                                        • Instruction ID: af6c476c43812a79f8f0dabfcec677a0740af7b82f84d8b789e9233fbbf10ec4
                                        • Opcode Fuzzy Hash: 70793663d0820a6b6aa07baf54fc0f2341bf8f5d504525afb75e80dbfc8a2486
                                        • Instruction Fuzzy Hash: 7822B174A04225DFDB24DF58D481AAEB7F0FF28304F188569E8969B341E734E985CBB1
                                        Function 00D216DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                          • Part of subcall function 00D225DB: GetWindowLongW.USER32(?,000000EB), ref: 00D225EC
                                        • GetParent.USER32(?), ref: 00D5BA0A
                                        • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00D219B3,?,?,?,00000006,?), ref: 00D5BA84
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: LongWindow$DialogNtdllParentProc_
                                        • String ID:
                                        • API String ID: 314495775-0
                                        • Opcode ID: eea6536c5acae36c2373f66acefb01d9ea287c318825bb00e67f7a1509f447d5
                                        • Instruction ID: c4dd295f451c94c14138a760d9fafa72ae576371d0c1e91a284acf8bbbd0a094
                                        • Opcode Fuzzy Hash: eea6536c5acae36c2373f66acefb01d9ea287c318825bb00e67f7a1509f447d5
                                        • Instruction Fuzzy Hash: C521A238200164EFCB209F28D884DA93B96EB6A378F688251F9155B3E1C7719D11DB70
                                        Function 00D8C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00D8C966
                                        • FindClose.KERNEL32(00000000), ref: 00D8C996
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 3e72cae43db34703d15b42942b8a8012945037f1417754e3564c7be17a697348
                                        • Instruction ID: 707f4f67b2398120a5a83f10cddec6cd29bb4028936562b50807e8fef1d19dfa
                                        • Opcode Fuzzy Hash: 3e72cae43db34703d15b42942b8a8012945037f1417754e3564c7be17a697348
                                        • Instruction Fuzzy Hash: F4118E326106109FDB10EF29D845A2AF7E9EF95324F00895EF8A9D7291DB30AC00CBA1
                                        Function 00DAC86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00D5BB8A,?,?,?), ref: 00DAC8E1
                                          • Part of subcall function 00D225DB: GetWindowLongW.USER32(?,000000EB), ref: 00D225EC
                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00DAC8C7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: LongWindow$DialogMessageNtdllProc_Send
                                        • String ID:
                                        • API String ID: 1273190321-0
                                        • Opcode ID: e2ebc343a82f31418576a4e20fe96a8e91c0c10ae83a359420dadab9c056d375
                                        • Instruction ID: 78434201d0261749571be2d5e08e940ff614c6f48e7176bd7bc1fe2a40b39cf7
                                        • Opcode Fuzzy Hash: e2ebc343a82f31418576a4e20fe96a8e91c0c10ae83a359420dadab9c056d375
                                        • Instruction Fuzzy Hash: ED01D831200214EBCB216F24DC84E663BA6FF96374F184564F9514B3E0C776D801EBB1
                                        Function 00DACC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 00DACC51
                                        • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00D5BC66,?,?,?,?,?), ref: 00DACC7A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClientDialogNtdllProc_Screen
                                        • String ID:
                                        • API String ID: 3420055661-0
                                        • Opcode ID: e02a25986e4c579cb3fd617ff73418b60d8cebbd0d14b0a7735221af2839ceb7
                                        • Instruction ID: af25d4f94cd4c584c29a46dfadd1624ee4613ca3367d2ae08edbc696c0b11e16
                                        • Opcode Fuzzy Hash: e02a25986e4c579cb3fd617ff73418b60d8cebbd0d14b0a7735221af2839ceb7
                                        • Instruction Fuzzy Hash: ADF0307241021CFFDF049F85DC499AE7FB9FB49321F04415AF90592261D3716A50EBB4
                                        Function 00D8A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D9977D,?,00DAFB84,?), ref: 00D8A302
                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D9977D,?,00DAFB84,?), ref: 00D8A314
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 5558fc956f1e285b688894ff56a32bb219d68c9acb23f8c317f7ebdeb306d908
                                        • Instruction ID: a840fd9f91baf27f36207521555ffcfba7472394436dfc784c27f02cac75d11a
                                        • Opcode Fuzzy Hash: 5558fc956f1e285b688894ff56a32bb219d68c9acb23f8c317f7ebdeb306d908
                                        • Instruction Fuzzy Hash: 36F05E3554422DABEB20AFA4CC48FEA776DEF09762F0041A6B908D6281D6309944CBB1
                                        Function 00DACD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00DACD74
                                        • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00D5BBE5,?,?,?,?), ref: 00DACDA2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: f5e9de3ba3e2e25c260dbb6a1c22a736730ba44b61e739b834ee652405862f6d
                                        • Instruction ID: b0349c0a8f257530316c34ff03a5f1c52806bdd78e24622fd0b00d3e4e96a763
                                        • Opcode Fuzzy Hash: f5e9de3ba3e2e25c260dbb6a1c22a736730ba44b61e739b834ee652405862f6d
                                        • Instruction Fuzzy Hash: B5E08670100254BFEF245F29DC09FBA3B54EB06760F408625F996DA1E1C770D850D770
                                        Function 00D78713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D78851), ref: 00D78728
                                        • CloseHandle.KERNEL32(?,?,00D78851), ref: 00D7873A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AdjustCloseHandlePrivilegesToken
                                        • String ID:
                                        • API String ID: 81990902-0
                                        • Opcode ID: 5dbccebc7992691e0495bb4b858b6afae43603797aec2bde3833a61dc9a8098b
                                        • Instruction ID: aeb366d79e1b1af646572124b4c9b230d0e00dc6cec3deec892d8a3f893bb749
                                        • Opcode Fuzzy Hash: 5dbccebc7992691e0495bb4b858b6afae43603797aec2bde3833a61dc9a8098b
                                        • Instruction Fuzzy Hash: 5DE0B676010650EFEB252B60EC09E777BA9EB05350B288969F496C0470DB62ACD0DB30
                                        Function 00D4A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,00DB4178,00D48F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00D4A39A
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00D4A3A3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: cceeda5d9d73261a47ae10cbaab7e9e40afbcabbaf74a4e3358a9718ab2b6488
                                        • Instruction ID: fbbe53277cf45ee606142f7d0c13da0c5eb0f7c7f7aaf1741eaa81c748ab4ec7
                                        • Opcode Fuzzy Hash: cceeda5d9d73261a47ae10cbaab7e9e40afbcabbaf74a4e3358a9718ab2b6488
                                        • Instruction Fuzzy Hash: 41B09231054308ABCF002BD1EC59B883F68EB46AA2F4040A0F60DC4260CBA294508AA1
                                        Function 00D4F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ccbd266ea5eb2e998eebbf272262ee96ff05029ef2770e27eadc0a22982b21a9
                                        • Instruction ID: 8dddc57558da8ae45a436f10e4421effc64e78bd9139a5662be5b6f4c3ed91f5
                                        • Opcode Fuzzy Hash: ccbd266ea5eb2e998eebbf272262ee96ff05029ef2770e27eadc0a22982b21a9
                                        • Instruction Fuzzy Hash: 68320622D69F418EDB239634D872335A289AFB73C4F15D737F819B5AB6EB28C4834110
                                        Function 00D5267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a5dba7a5a2444cbf09854956f55e4ed39908a79be1904e68c0366f71574294b2
                                        • Instruction ID: 13c66e6608eddfe2bcbdbec6b58141f03c19c20dc0e4bc68f7473575a3c64c4f
                                        • Opcode Fuzzy Hash: a5dba7a5a2444cbf09854956f55e4ed39908a79be1904e68c0366f71574294b2
                                        • Instruction Fuzzy Hash: 85B10320D2AF418DD72396398831336BB8CAFBB2D5F51D71BFC1AB4E22EB2185834141
                                        Function 00D88B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • __time64.LIBCMT ref: 00D88B25
                                          • Part of subcall function 00D4543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00D891F8,00000000,?,?,?,?,00D893A9,00000000,?), ref: 00D45443
                                          • Part of subcall function 00D4543A: __aulldiv.LIBCMT ref: 00D45463
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Time$FileSystem__aulldiv__time64
                                        • String ID:
                                        • API String ID: 2893107130-0
                                        • Opcode ID: 3e8084385c03a58ba62a3bc8395cd9619f902c97a0515ebf0a73ebc7183b4332
                                        • Instruction ID: 6f8ad3f0d385edc46e181874c774dc75af681bcb5622b1fc211a02b1718f4e24
                                        • Opcode Fuzzy Hash: 3e8084385c03a58ba62a3bc8395cd9619f902c97a0515ebf0a73ebc7183b4332
                                        • Instruction Fuzzy Hash: 9321E4726356108BC729DF25D441A52B3E1EFA4311B688E6CE0E9CF2D0CA34BD05DBA4
                                        Function 00DADA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00DADB46
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 1cc14681150337db77007b0426b8559568f90e20ebc30afef5991ea0f605290b
                                        • Instruction ID: 2457566b447a3256c1d365e08c25afb1f55ccea79db5426739efda2b4595871a
                                        • Opcode Fuzzy Hash: 1cc14681150337db77007b0426b8559568f90e20ebc30afef5991ea0f605290b
                                        • Instruction Fuzzy Hash: B0110D72204265BFEB245E2CCC45F7A3726EB47B20F284314F9639BAD1CA61DD009375
                                        Function 00DAD6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D225DB: GetWindowLongW.USER32(?,000000EB), ref: 00D225EC
                                        • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00D5BBA2,?,?,?,?,00000000,?), ref: 00DAD740
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 02d3ec324945b8e0ef3020034fde1fc5284162cf37d74e0216469ab99a2c8a62
                                        • Instruction ID: 62ca8e504395fe3a598b16bf29346615003c8df6cdb30521ef09b809fbac5d80
                                        • Opcode Fuzzy Hash: 02d3ec324945b8e0ef3020034fde1fc5284162cf37d74e0216469ab99a2c8a62
                                        • Instruction Fuzzy Hash: 4101F135600158ABDB189F29D889BFA3BA3EB57324F0C4125F9575B6A2C331AC2197B0
                                        Function 00DAC220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                          • Part of subcall function 00D22344: GetCursorPos.USER32(?), ref: 00D22357
                                          • Part of subcall function 00D22344: ScreenToClient.USER32(00DE67B0,?), ref: 00D22374
                                          • Part of subcall function 00D22344: GetAsyncKeyState.USER32(00000001), ref: 00D22399
                                          • Part of subcall function 00D22344: GetAsyncKeyState.USER32(00000002), ref: 00D223A7
                                        • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00D5BC4F,?,?,?,?,?,00000001,?), ref: 00DAC272
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                        • String ID:
                                        • API String ID: 2356834413-0
                                        • Opcode ID: ce79fe248ea490c1e58862356ef9857884fa58cff76149cecde0053d367929a5
                                        • Instruction ID: 1eb866bfaaa6fa1bd719c464eee3aee1e5fae5f3864bad3ad4a6927968affe9f
                                        • Opcode Fuzzy Hash: ce79fe248ea490c1e58862356ef9857884fa58cff76149cecde0053d367929a5
                                        • Instruction Fuzzy Hash: 60F08230200228ABDF14AF49DC46EBA3B91EB15765F004455F9465B291CB75E860EFF0
                                        Function 00D2189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00D21B04,?,?,?,?,?), ref: 00D218E2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: de55ad8590490e072f8401eacdeaa93c78419ce6905d24b80dbd6f041bdf059e
                                        • Instruction ID: 6ec4bfe78cfef031846055b9e03e9882f18f6cb1b18e7e567d2addd93832140f
                                        • Opcode Fuzzy Hash: de55ad8590490e072f8401eacdeaa93c78419ce6905d24b80dbd6f041bdf059e
                                        • Instruction Fuzzy Hash: CAF0BE34600268AFCB18EF14E89093637A2FB703A4F008529F9528B3A0CB31DC50EB70
                                        Function 00D941FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • BlockInput.USER32(00000001), ref: 00D94218
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BlockInput
                                        • String ID:
                                        • API String ID: 3456056419-0
                                        • Opcode ID: eb5deda4b77d31a5c78b5a66f230b4baedb3a774c1dd396bf00e68bbe2109393
                                        • Instruction ID: 435024e032ec23360057c040fb1f1eb1804c0b7a386ccc74c66def35f5d5e5af
                                        • Opcode Fuzzy Hash: eb5deda4b77d31a5c78b5a66f230b4baedb3a774c1dd396bf00e68bbe2109393
                                        • Instruction Fuzzy Hash: 75E04F322402149FDB10EF69E845E9AF7E8EFA8760F048026FC49C7352DA70E8418BB0
                                        Function 00DACBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00DACBEE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 21fd6655e64f95e5e78b92cef4530bfc4318d1f2a815821b0ad9dde519d0a5bb
                                        • Instruction ID: 7461253d0a8d991331f99912518d9b9cfece7f6a6d274024035692ceb9bdb714
                                        • Opcode Fuzzy Hash: 21fd6655e64f95e5e78b92cef4530bfc4318d1f2a815821b0ad9dde519d0a5bb
                                        • Instruction Fuzzy Hash: F5F06D32640394AFDB21EF58DC45FC63B95EB1A760F084458BA21672E1CB71B820E7B0
                                        Function 00D84EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00D84EEC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: mouse_event
                                        • String ID:
                                        • API String ID: 2434400541-0
                                        • Opcode ID: 59116c56f44b142bbc4847a906b74646a663eb40e8d6ebcc4892633856890f7c
                                        • Instruction ID: b4047ca018075c929d3dc1cd5b8212ce45ea7be3ecde7fc13521a6860bbdf842
                                        • Opcode Fuzzy Hash: 59116c56f44b142bbc4847a906b74646a663eb40e8d6ebcc4892633856890f7c
                                        • Instruction Fuzzy Hash: A6D05E9816070739EC2A6B24DC5FF772108F300782FD8418AB542C94C1E8D0AC505230
                                        Function 00D78C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D788D1), ref: 00D78CB3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: LogonUser
                                        • String ID:
                                        • API String ID: 1244722697-0
                                        • Opcode ID: ac5f5e5fb9aa680c5ea0b229b33554b233cc3b41b7f453bce0a51bd5e441f460
                                        • Instruction ID: 00c23477e121755e19b7fe9445bce12e62b884638ca8572618190cb2d9330802
                                        • Opcode Fuzzy Hash: ac5f5e5fb9aa680c5ea0b229b33554b233cc3b41b7f453bce0a51bd5e441f460
                                        • Instruction Fuzzy Hash: 6FD05E322A060EABEF018FA4DC01EAE3B69EB04B01F408111FE15C51A1C775D835AB60
                                        Function 00DACBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00D5BC0C,?,?,?,?,?,?), ref: 00DACC24
                                          • Part of subcall function 00DAB8EF: _memset.LIBCMT ref: 00DAB8FE
                                          • Part of subcall function 00DAB8EF: _memset.LIBCMT ref: 00DAB90D
                                          • Part of subcall function 00DAB8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00DE7F20,00DE7F64), ref: 00DAB93C
                                          • Part of subcall function 00DAB8EF: CloseHandle.KERNEL32 ref: 00DAB94E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                        • String ID:
                                        • API String ID: 2364484715-0
                                        • Opcode ID: e4c471e84a2706693bae0fc4a68891ddb3d18725a8f8e88557fb7883a4a2d01b
                                        • Instruction ID: 95b4f2fcce01591597369bf0d4df57bdd963c9bbc10592f540b849e1d49d1fd8
                                        • Opcode Fuzzy Hash: e4c471e84a2706693bae0fc4a68891ddb3d18725a8f8e88557fb7883a4a2d01b
                                        • Instruction Fuzzy Hash: 10E04631110208DFCB01AF58DD40E8537A5FB1D360F004051FA055B2B2CB31E960EF60
                                        Function 00D2167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00D21AEE,?,?,?), ref: 00D216AB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 004017109c11dd0326775f84e2aa2839334aec86694979609889f10108e6f674
                                        • Instruction ID: c5fe8736fafba416bec769caa05ae1f9f305c80404643900174b3e353e7e1666
                                        • Opcode Fuzzy Hash: 004017109c11dd0326775f84e2aa2839334aec86694979609889f10108e6f674
                                        • Instruction Fuzzy Hash: 56E0EC35500218BBCF15BF90DC51E643B26FB69358F108458FA454A3A1CA72A921EB70
                                        Function 00DACB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL ref: 00DACB75
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 548aa65c443549c52587ea4a6a154f78536085c524e2ad94a19e1c4f657bf528
                                        • Instruction ID: 94b678367a4e0a97b309e8ab81f6001252cae341a585317b449da8e21dbe406e
                                        • Opcode Fuzzy Hash: 548aa65c443549c52587ea4a6a154f78536085c524e2ad94a19e1c4f657bf528
                                        • Instruction Fuzzy Hash: 3AE04275244349AFDB01EF98D885E963BA5AB1D740F014494FA159B362CB71A820EBB1
                                        Function 00DACB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL ref: 00DACBA4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 7ebb1c2c89c1ed28c9b5618f6e4b2327a6c305efbd5a23ccef4e96f8982cb47d
                                        • Instruction ID: d702421a189cd46471bbbb93a63dbfc80fd24ff4160ebfbfa5ecf443780e41c0
                                        • Opcode Fuzzy Hash: 7ebb1c2c89c1ed28c9b5618f6e4b2327a6c305efbd5a23ccef4e96f8982cb47d
                                        • Instruction Fuzzy Hash: 11E0E235200348EFCB01EF88D884D863BA5AB1D300F004094FA058B362CB71A820EBB1
                                        Function 00D216B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                          • Part of subcall function 00D2201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D220D3
                                          • Part of subcall function 00D2201B: KillTimer.USER32(-00000001,?,?,?,?,00D216CB,00000000,?,?,00D21AE2,?,?), ref: 00D2216E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00D21AE2,?,?), ref: 00D216D4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                        • String ID:
                                        • API String ID: 2797419724-0
                                        • Opcode ID: 3d1add9596a2b552d79c671f0b24b03480cb6943f431c1cf4a3b3399728ac1fa
                                        • Instruction ID: 09698c01c271983a32b46f3c4988e02c6cf330b83e5636afe98e231e6c965dd9
                                        • Opcode Fuzzy Hash: 3d1add9596a2b552d79c671f0b24b03480cb6943f431c1cf4a3b3399728ac1fa
                                        • Instruction Fuzzy Hash: 10D0123114031877DA203FA1ED17F593A19DB64754F408420BA04692D3CAB1A810A5B8
                                        Function 00D62230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserNameW.ADVAPI32(?,?), ref: 00D62242
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: NameUser
                                        • String ID:
                                        • API String ID: 2645101109-0
                                        • Opcode ID: 1fe3753f640f0665452bee71d0575bbe590fbe1a42a6033012ce9e9cdeba0bac
                                        • Instruction ID: e60957577e341a266399bab9994be55d4ebf334b3d8c2ce5411a37aa1d68f03d
                                        • Opcode Fuzzy Hash: 1fe3753f640f0665452bee71d0575bbe590fbe1a42a6033012ce9e9cdeba0bac
                                        • Instruction Fuzzy Hash: 2CC04CF5800109DBDB05DB90D988DEE77BCAB05304F144095A181F2100D7749B448A75
                                        Function 00D4A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00D4A36A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 61c3a458785d94335d7bde876e710902488014fcaed0c0aa1b50e81e206ee79c
                                        • Instruction ID: c8b5948205fc17f8240b9df6f4454d1d263cee02e931ca26e30601f04f7b24f4
                                        • Opcode Fuzzy Hash: 61c3a458785d94335d7bde876e710902488014fcaed0c0aa1b50e81e206ee79c
                                        • Instruction Fuzzy Hash: 8FA0113000020CAB8F002B82EC08888BFACEA022A0B0080A0F80C80222CB32A8208AA0
                                        Function 00D38A0E Relevance: .6, Instructions: 608COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 829094c5f2d61e9c71c09e9c6f174e55cff2a633f226ba3e9480a4fc05baa827
                                        • Instruction ID: 4727469d1883cae31858b1e89b17a520817a0acb20a2d3423a2241a4bbd6b05d
                                        • Opcode Fuzzy Hash: 829094c5f2d61e9c71c09e9c6f174e55cff2a633f226ba3e9480a4fc05baa827
                                        • Instruction Fuzzy Hash: 20221930905716CBDF288B28D49467DB7B1FB41344F6C846AF4868B295EB70DD82EB72
                                        Function 00D42405 Relevance: .3, Instructions: 345COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction ID: 9692d0fd8a84226b0e04e43b2af52755d7206e542da88010bae92278c59d0881
                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction Fuzzy Hash: 0EC170362050930BEB2D8639947413EBAE16EA27B139E075DF4B2CB5C5FF20D569DA30
                                        Function 00D4283A Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction ID: 71c3a11f688b33a8a39e4c47ab7f0ae0840be9e6cfc618072fc371b74d8c1a82
                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction Fuzzy Hash: C7C172372451930BEB2D463A847403EBAE16EA27B139E075DE4B2DB5C4FF20D5699A30
                                        Function 00D41BB8 Relevance: .3, Instructions: 323COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction ID: 7a2b0ebc5b1e14473125bc71a5eecb8a16903664fe5622888d5b56170281cc18
                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction Fuzzy Hash: 88C1933B2451930BEF2D463A947403EBAE16EA27B135E076DE4B2CB5C4FF10D5A99630
                                        Function 0122B4A8 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                        • Instruction ID: e8c95aaf951c312196b94e30a4f3a3662afdce5037ecf7c5f83a57bd6e003544
                                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                        • Instruction Fuzzy Hash: C541D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                        Function 0122B338 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                        • Instruction ID: 817454ed95edc7cb7bd4ccff728785ab5cee3d8e21e31538508b97c60e7cbfc9
                                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                        • Instruction Fuzzy Hash: 10018078A10219EFCB44DF98C5909AEF7F5FB48210F208699DD09A7701D730AE41DB80
                                        Function 0122B398 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                        • Instruction ID: 3f33bce4ec53cd938cd661acec7a71a23230c41250a4e54e8b31fbc1dcbbb825
                                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                        • Instruction Fuzzy Hash: CD018C78A1021AEFCB44DF98C5909AEF7B5FF48210F208699ED09A7301D730AE42DB80
                                        Function 01229CD8 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1284029492.0000000001227000.00000040.00000020.00020000.00000000.sdmp, Offset: 01227000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_1227000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                        Function 00DA37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,00DAF910), ref: 00DA38AF
                                        • IsWindowVisible.USER32(?), ref: 00DA38D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharUpperVisibleWindow
                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                        • API String ID: 4105515805-45149045
                                        • Opcode ID: 5dc5210e73a34e0a14e156e3709b62b5114791d21f812664d321aff9b7f38934
                                        • Instruction ID: 41d70ee19e65cd8deaeb65ab4573f870c4baa9d8e5076524f85dd60cf1dedd0f
                                        • Opcode Fuzzy Hash: 5dc5210e73a34e0a14e156e3709b62b5114791d21f812664d321aff9b7f38934
                                        • Instruction Fuzzy Hash: 61D18130204315DBCB14EF20C851E6ABBA6EF55358F15885DB8C65B3A6DB31EE0ACB71
                                        Function 00DAA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTextColor.GDI32(?,00000000), ref: 00DAA89F
                                        • GetSysColorBrush.USER32(0000000F), ref: 00DAA8D0
                                        • GetSysColor.USER32(0000000F), ref: 00DAA8DC
                                        • SetBkColor.GDI32(?,000000FF), ref: 00DAA8F6
                                        • SelectObject.GDI32(?,?), ref: 00DAA905
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00DAA930
                                        • GetSysColor.USER32(00000010), ref: 00DAA938
                                        • CreateSolidBrush.GDI32(00000000), ref: 00DAA93F
                                        • FrameRect.USER32(?,?,00000000), ref: 00DAA94E
                                        • DeleteObject.GDI32(00000000), ref: 00DAA955
                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00DAA9A0
                                        • FillRect.USER32(?,?,?), ref: 00DAA9D2
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00DAA9FD
                                          • Part of subcall function 00DAAB60: GetSysColor.USER32(00000012), ref: 00DAAB99
                                          • Part of subcall function 00DAAB60: SetTextColor.GDI32(?,?), ref: 00DAAB9D
                                          • Part of subcall function 00DAAB60: GetSysColorBrush.USER32(0000000F), ref: 00DAABB3
                                          • Part of subcall function 00DAAB60: GetSysColor.USER32(0000000F), ref: 00DAABBE
                                          • Part of subcall function 00DAAB60: GetSysColor.USER32(00000011), ref: 00DAABDB
                                          • Part of subcall function 00DAAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DAABE9
                                          • Part of subcall function 00DAAB60: SelectObject.GDI32(?,00000000), ref: 00DAABFA
                                          • Part of subcall function 00DAAB60: SetBkColor.GDI32(?,00000000), ref: 00DAAC03
                                          • Part of subcall function 00DAAB60: SelectObject.GDI32(?,?), ref: 00DAAC10
                                          • Part of subcall function 00DAAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00DAAC2F
                                          • Part of subcall function 00DAAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DAAC46
                                          • Part of subcall function 00DAAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00DAAC5B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                        • String ID:
                                        • API String ID: 4124339563-0
                                        • Opcode ID: 02ea9d0bea8d3f30e0e23f032e3f11198041005567a0ae7b20fb03927657496c
                                        • Instruction ID: 83b47facd714676ca3ea17708931bb8d8bf1d8ce3589301015f9ae21c6869035
                                        • Opcode Fuzzy Hash: 02ea9d0bea8d3f30e0e23f032e3f11198041005567a0ae7b20fb03927657496c
                                        • Instruction Fuzzy Hash: 0DA18371408301AFD7109FA4DC08A5B7BE9FF8A321F144B29F5A2D62E0D735D945CB62
                                        Function 00D977BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000), ref: 00D977F1
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D978B0
                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00D978EE
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00D97900
                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00D97946
                                        • GetClientRect.USER32(00000000,?), ref: 00D97952
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00D97996
                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D979A5
                                        • GetStockObject.GDI32(00000011), ref: 00D979B5
                                        • SelectObject.GDI32(00000000,00000000), ref: 00D979B9
                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00D979C9
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D979D2
                                        • DeleteDC.GDI32(00000000), ref: 00D979DB
                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D97A07
                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00D97A1E
                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00D97A59
                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D97A6D
                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00D97A7E
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00D97AAE
                                        • GetStockObject.GDI32(00000011), ref: 00D97AB9
                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D97AC4
                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00D97ACE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                        • API String ID: 2910397461-517079104
                                        • Opcode ID: 977dec9a0ec5627ded9bfa512053deb3a9ff96131907b98dc9b86cf751acc24d
                                        • Instruction ID: 06ef5716302f36f46fc390ba1de08bb66d4fa30128fe00fc7ada4d5d3aec4a25
                                        • Opcode Fuzzy Hash: 977dec9a0ec5627ded9bfa512053deb3a9ff96131907b98dc9b86cf751acc24d
                                        • Instruction Fuzzy Hash: 68A16E71A40215BFEB149BA4DC8AFAEBBB9EB49714F044154FA15EB2E0D770AD00CB74
                                        Function 00D8AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00D8AF89
                                        • GetDriveTypeW.KERNEL32(?,00DAFAC0,?,\\.\,00DAF910), ref: 00D8B066
                                        • SetErrorMode.KERNEL32(00000000,00DAFAC0,?,\\.\,00DAF910), ref: 00D8B1C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DriveType
                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                        • API String ID: 2907320926-4222207086
                                        • Opcode ID: f6c84208a1239b2450dee63802827a8723f7b33b88013e025cf9f9256edd4030
                                        • Instruction ID: 942288bb0e0b3ae33c457fa3ccc587fa5607783fe9e60c60468356cfc8a3f425
                                        • Opcode Fuzzy Hash: f6c84208a1239b2450dee63802827a8723f7b33b88013e025cf9f9256edd4030
                                        • Instruction Fuzzy Hash: AD51C030684305AF8B10FF68C9A69BDB3B0EB15361B648017E40AAB391C735DD49DB72
                                        Function 00D26A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                        • API String ID: 1038674560-86951937
                                        • Opcode ID: 461b895c64d6517537a7029e62b9592ff747ac6aa7b8d0fef54699d3d3eab78a
                                        • Instruction ID: 432832673a55a6a660a9c5a8f589c26094d93193177c28571ba837e909f5c975
                                        • Opcode Fuzzy Hash: 461b895c64d6517537a7029e62b9592ff747ac6aa7b8d0fef54699d3d3eab78a
                                        • Instruction Fuzzy Hash: ED810671640325ABCF25BF64ED83FAA7768EF25704F084025FD45AA182EB70DB59C2B1
                                        Function 00D22C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?), ref: 00D22CA2
                                        • DeleteObject.GDI32(00000000), ref: 00D22CE8
                                        • DeleteObject.GDI32(00000000), ref: 00D22CF3
                                        • DestroyCursor.USER32(00000000), ref: 00D22CFE
                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00D22D09
                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00D5C68B
                                        • 6FDA0200.COMCTL32(?,000000FF,?), ref: 00D5C6C4
                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D5CAED
                                          • Part of subcall function 00D21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D22036,?,00000000,?,?,?,?,00D216CB,00000000,?), ref: 00D21B9A
                                        • SendMessageW.USER32(?,00001053), ref: 00D5CB2A
                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D5CB41
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: DestroyMessageSendWindow$DeleteObject$A0200CursorInvalidateMoveRect
                                        • String ID: 0
                                        • API String ID: 377055139-4108050209
                                        • Opcode ID: c3c1768f8cfbf877d2f30b65c739f8cd43855aaf94c7820e4793fd2ca4a130bf
                                        • Instruction ID: 13cec5f3ab92d534de4ad22670cd35fcf9f0d038ad930495c99cea31a9548d31
                                        • Opcode Fuzzy Hash: c3c1768f8cfbf877d2f30b65c739f8cd43855aaf94c7820e4793fd2ca4a130bf
                                        • Instruction Fuzzy Hash: 0F129A30614311AFCB20CF24C884BA9BBA1FF19316F5855A9FC95DB662C731E846DBB0
                                        Function 00DAAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000012), ref: 00DAAB99
                                        • SetTextColor.GDI32(?,?), ref: 00DAAB9D
                                        • GetSysColorBrush.USER32(0000000F), ref: 00DAABB3
                                        • GetSysColor.USER32(0000000F), ref: 00DAABBE
                                        • CreateSolidBrush.GDI32(?), ref: 00DAABC3
                                        • GetSysColor.USER32(00000011), ref: 00DAABDB
                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DAABE9
                                        • SelectObject.GDI32(?,00000000), ref: 00DAABFA
                                        • SetBkColor.GDI32(?,00000000), ref: 00DAAC03
                                        • SelectObject.GDI32(?,?), ref: 00DAAC10
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00DAAC2F
                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DAAC46
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00DAAC5B
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DAACA7
                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00DAACCE
                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00DAACEC
                                        • DrawFocusRect.USER32(?,?), ref: 00DAACF7
                                        • GetSysColor.USER32(00000011), ref: 00DAAD05
                                        • SetTextColor.GDI32(?,00000000), ref: 00DAAD0D
                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00DAAD21
                                        • SelectObject.GDI32(?,00DAA869), ref: 00DAAD38
                                        • DeleteObject.GDI32(?), ref: 00DAAD43
                                        • SelectObject.GDI32(?,?), ref: 00DAAD49
                                        • DeleteObject.GDI32(?), ref: 00DAAD4E
                                        • SetTextColor.GDI32(?,?), ref: 00DAAD54
                                        • SetBkColor.GDI32(?,?), ref: 00DAAD5E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                        • String ID:
                                        • API String ID: 1996641542-0
                                        • Opcode ID: 3682b9ffc13eef0138d7c47590358af95ce6325fc20e3422bda4d7865b6dda54
                                        • Instruction ID: fd1c235b3503fa5478a668719337f02206100952f0abe49ea40368bfa63ba3e1
                                        • Opcode Fuzzy Hash: 3682b9ffc13eef0138d7c47590358af95ce6325fc20e3422bda4d7865b6dda54
                                        • Instruction Fuzzy Hash: 63616D71900218EFDF119FA8DC48EAE7B79EB0A320F144265F911EB2A1D7759D40DBA0
                                        Function 00DA8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00DA8D34
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DA8D45
                                        • CharNextW.USER32(0000014E), ref: 00DA8D74
                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00DA8DB5
                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00DA8DCB
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DA8DDC
                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00DA8DF9
                                        • SetWindowTextW.USER32(?,0000014E), ref: 00DA8E45
                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00DA8E5B
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DA8E8C
                                        • _memset.LIBCMT ref: 00DA8EB1
                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00DA8EFA
                                        • _memset.LIBCMT ref: 00DA8F59
                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00DA8F83
                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00DA8FDB
                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00DA9088
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00DA90AA
                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DA90F4
                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DA9121
                                        • DrawMenuBar.USER32(?), ref: 00DA9130
                                        • SetWindowTextW.USER32(?,0000014E), ref: 00DA9158
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                        • String ID: 0
                                        • API String ID: 1073566785-4108050209
                                        • Opcode ID: b6cab4cbc39075828d95713f6dceed03539902f70751b6c2c1b5e394e76c6d78
                                        • Instruction ID: 19bfb286e9f33d42b67b9259d4319962e69a57d8394611c5cc9d3296224d4b48
                                        • Opcode Fuzzy Hash: b6cab4cbc39075828d95713f6dceed03539902f70751b6c2c1b5e394e76c6d78
                                        • Instruction Fuzzy Hash: 36E18070900219AFDF209F64CC88EEEBBB9EF16710F188155FD55AA291DB708A85DF70
                                        Function 00DA4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00DA4C51
                                        • GetDesktopWindow.USER32 ref: 00DA4C66
                                        • GetWindowRect.USER32(00000000), ref: 00DA4C6D
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00DA4CCF
                                        • DestroyWindow.USER32(?), ref: 00DA4CFB
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00DA4D24
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DA4D42
                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00DA4D68
                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00DA4D7D
                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00DA4D90
                                        • IsWindowVisible.USER32(?), ref: 00DA4DB0
                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00DA4DCB
                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00DA4DDF
                                        • GetWindowRect.USER32(?,?), ref: 00DA4DF7
                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00DA4E1D
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00DA4E37
                                        • CopyRect.USER32(?,?), ref: 00DA4E4E
                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00DA4EB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                        • String ID: ($0$tooltips_class32
                                        • API String ID: 698492251-4156429822
                                        • Opcode ID: c5b3a31feff2e94672b07ddca75635652f3d66dacab1ad9c55524fd3aaf5f4c3
                                        • Instruction ID: f9174ce8b8132845823fa9ab7adc3df1a825576b8d5747c3a65636e060a23be1
                                        • Opcode Fuzzy Hash: c5b3a31feff2e94672b07ddca75635652f3d66dacab1ad9c55524fd3aaf5f4c3
                                        • Instruction Fuzzy Hash: 34B18B71608350AFDB04DF64D845B6ABBE4FF8A314F04891CF5999B2A1D7B1EC04CBA2
                                        Function 00D227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D228BC
                                        • GetSystemMetrics.USER32(00000007), ref: 00D228C4
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D228EF
                                        • GetSystemMetrics.USER32(00000008), ref: 00D228F7
                                        • GetSystemMetrics.USER32(00000004), ref: 00D2291C
                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D22939
                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D22949
                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D2297C
                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D22990
                                        • GetClientRect.USER32(00000000,000000FF), ref: 00D229AE
                                        • GetStockObject.GDI32(00000011), ref: 00D229CA
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D229D5
                                          • Part of subcall function 00D22344: GetCursorPos.USER32(?), ref: 00D22357
                                          • Part of subcall function 00D22344: ScreenToClient.USER32(00DE67B0,?), ref: 00D22374
                                          • Part of subcall function 00D22344: GetAsyncKeyState.USER32(00000001), ref: 00D22399
                                          • Part of subcall function 00D22344: GetAsyncKeyState.USER32(00000002), ref: 00D223A7
                                        • SetTimer.USER32(00000000,00000000,00000028,00D21256), ref: 00D229FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                        • String ID: AutoIt v3 GUI
                                        • API String ID: 1458621304-248962490
                                        • Opcode ID: 5cc94f53aeac6133f2ec952cec78b074eeb39f6c26c528602a8ea60369fc3e51
                                        • Instruction ID: f04ca801f426a9a57984962bfc381f749138f4c6e0b8afd472062ce20e19e174
                                        • Opcode Fuzzy Hash: 5cc94f53aeac6133f2ec952cec78b074eeb39f6c26c528602a8ea60369fc3e51
                                        • Instruction Fuzzy Hash: BFB15D71A0031AAFDB14DFA8DC85BAE7BB4FB18315F148229FA15E6290DB74D841CB70
                                        Function 00D846D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _wcscat$A1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                        • API String ID: 3483108802-1459072770
                                        • Opcode ID: 07ce55c5236b463cc2b4e22df0c52c51cf874fcebc80f22037e84b03710e50e7
                                        • Instruction ID: dabc95e2e7d6df98d66bf73971efaa47190996220dbd339a361016a9aba86929
                                        • Opcode Fuzzy Hash: 07ce55c5236b463cc2b4e22df0c52c51cf874fcebc80f22037e84b03710e50e7
                                        • Instruction Fuzzy Hash: C3411775A002057BEB10BBB58C43EBF7BBCEF46710F04406AF944E6182EB749A0597B5
                                        Function 00DA4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00DA40F6
                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00DA41B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharMessageSendUpper
                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                        • API String ID: 3974292440-719923060
                                        • Opcode ID: 8b2be3147be57d951b870b06c993987e116faac757e4147c75c881efd81fcb5f
                                        • Instruction ID: 6012be670d3892c412d3a3f4e241a003195ebad11d09a407941b26fb1bff0ccf
                                        • Opcode Fuzzy Hash: 8b2be3147be57d951b870b06c993987e116faac757e4147c75c881efd81fcb5f
                                        • Instruction Fuzzy Hash: 86A1BE30214311DFCB14EF20C952A6AB7A5EF95318F14896DB8969B7D2DB70EC09CB71
                                        Function 00D952F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00D95309
                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00D95314
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00D9531F
                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00D9532A
                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00D95335
                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00D95340
                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00D9534B
                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00D95356
                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00D95361
                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00D9536C
                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00D95377
                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00D95382
                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00D9538D
                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00D95398
                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00D953A3
                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00D953AE
                                        • GetCursorInfo.USER32(?), ref: 00D953BE
                                        • GetLastError.KERNEL32(00000001,00000000), ref: 00D953E9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Cursor$Load$ErrorInfoLast
                                        • String ID:
                                        • API String ID: 3215588206-0
                                        • Opcode ID: fb7c5466945d1aa284bae6ff81104986c96a6973add328931432bb02a05b6900
                                        • Instruction ID: 56eee26fc200d29d71774bbce7506f71de9eb6585c1f16439bc0e3ee2dbaf2ab
                                        • Opcode Fuzzy Hash: fb7c5466945d1aa284bae6ff81104986c96a6973add328931432bb02a05b6900
                                        • Instruction Fuzzy Hash: EF415F70E483196ADF109FBA9C4996EFFB8EF51B50B10453FE509E7290DAB8A4018F61
                                        Function 00D7AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00D7AAA5
                                        • __swprintf.LIBCMT ref: 00D7AB46
                                        • _wcscmp.LIBCMT ref: 00D7AB59
                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D7ABAE
                                        • _wcscmp.LIBCMT ref: 00D7ABEA
                                        • GetClassNameW.USER32(?,?,00000400), ref: 00D7AC21
                                        • GetDlgCtrlID.USER32(?), ref: 00D7AC73
                                        • GetWindowRect.USER32(?,?), ref: 00D7ACA9
                                        • GetParent.USER32(?), ref: 00D7ACC7
                                        • ScreenToClient.USER32(00000000), ref: 00D7ACCE
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00D7AD48
                                        • _wcscmp.LIBCMT ref: 00D7AD5C
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00D7AD82
                                        • _wcscmp.LIBCMT ref: 00D7AD96
                                          • Part of subcall function 00D4386C: _iswctype.LIBCMT ref: 00D43874
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                        • String ID: %s%u
                                        • API String ID: 3744389584-679674701
                                        • Opcode ID: 043ff76f3fb49643c1a5dd0b8c7185987b4babac228cf17da68caf8f5d3f9ae1
                                        • Instruction ID: 5f07f322b04ac9b906a1face9a152c0d31fe92f7967ace18603124876eba3d7a
                                        • Opcode Fuzzy Hash: 043ff76f3fb49643c1a5dd0b8c7185987b4babac228cf17da68caf8f5d3f9ae1
                                        • Instruction Fuzzy Hash: 82A1A071204306ABD725DF68C884BAEB7A8FF84315F048529F99DD2150F730E945CBB2
                                        Function 00D7B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 00D7B3DB
                                        • _wcscmp.LIBCMT ref: 00D7B3EC
                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 00D7B414
                                        • CharUpperBuffW.USER32(?,00000000), ref: 00D7B431
                                        • _wcscmp.LIBCMT ref: 00D7B44F
                                        • _wcsstr.LIBCMT ref: 00D7B460
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00D7B498
                                        • _wcscmp.LIBCMT ref: 00D7B4A8
                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 00D7B4CF
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00D7B518
                                        • _wcscmp.LIBCMT ref: 00D7B528
                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 00D7B550
                                        • GetWindowRect.USER32(00000004,?), ref: 00D7B5B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                        • String ID: @$ThumbnailClass
                                        • API String ID: 1788623398-1539354611
                                        • Opcode ID: 21ab0b6445cff16c602d906347a035a152e4e109d1d318a9f96d1c01af48e570
                                        • Instruction ID: 7f6783b4e7a62d14890d7e4b1af979dd4354d856bf0d183903644ac0d646c115
                                        • Opcode Fuzzy Hash: 21ab0b6445cff16c602d906347a035a152e4e109d1d318a9f96d1c01af48e570
                                        • Instruction Fuzzy Hash: EC818E710083059FDB14DF14D885FAA7BE8EF44328F08856AFD899A196EB34DD49CB71
                                        Function 00D7B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                        • API String ID: 1038674560-1810252412
                                        • Opcode ID: 10d86dc1f85982a925a6b47c26f0910521e29d2c72b911289a51a152c6bac919
                                        • Instruction ID: 6dd1c98c812916d46a7f1e4f12e7080637099e99cfb9da9587fa8e4cdfc10acb
                                        • Opcode Fuzzy Hash: 10d86dc1f85982a925a6b47c26f0910521e29d2c72b911289a51a152c6bac919
                                        • Instruction Fuzzy Hash: 3B31E030A45215AADB14FA60DD53FEEB7B4DF20764F60402AF445B21E6FF22AE08C674
                                        Function 00D7C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000063), ref: 00D7C4D4
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D7C4E6
                                        • SetWindowTextW.USER32(?,?), ref: 00D7C4FD
                                        • GetDlgItem.USER32(?,000003EA), ref: 00D7C512
                                        • SetWindowTextW.USER32(00000000,?), ref: 00D7C518
                                        • GetDlgItem.USER32(?,000003E9), ref: 00D7C528
                                        • SetWindowTextW.USER32(00000000,?), ref: 00D7C52E
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D7C54F
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D7C569
                                        • GetWindowRect.USER32(?,?), ref: 00D7C572
                                        • SetWindowTextW.USER32(?,?), ref: 00D7C5DD
                                        • GetDesktopWindow.USER32 ref: 00D7C5E3
                                        • GetWindowRect.USER32(00000000), ref: 00D7C5EA
                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00D7C636
                                        • GetClientRect.USER32(?,?), ref: 00D7C643
                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00D7C668
                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D7C693
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                        • String ID:
                                        • API String ID: 3869813825-0
                                        • Opcode ID: 3ac06e4aa02932fde294fe170470cc89681e8ae0eed5b71eca93ede88e4611a1
                                        • Instruction ID: f785e8f899d8c84fee6a6b55bc1bd63bedbe8517aef6f9c6cc0e639383a6c7b2
                                        • Opcode Fuzzy Hash: 3ac06e4aa02932fde294fe170470cc89681e8ae0eed5b71eca93ede88e4611a1
                                        • Instruction Fuzzy Hash: AE515C70900709AFDB209FA8DD89B6EBBF5FF04705F04492CE686A26A0D775F904CB60
                                        Function 00DAA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00DAA4C8
                                        • DestroyWindow.USER32(?,?), ref: 00DAA542
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00DAA5BC
                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DAA5DE
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DAA5F1
                                        • DestroyWindow.USER32(00000000), ref: 00DAA613
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D20000,00000000), ref: 00DAA64A
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DAA663
                                        • GetDesktopWindow.USER32 ref: 00DAA67C
                                        • GetWindowRect.USER32(00000000), ref: 00DAA683
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DAA69B
                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DAA6B3
                                          • Part of subcall function 00D225DB: GetWindowLongW.USER32(?,000000EB), ref: 00D225EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                        • String ID: 0$tooltips_class32
                                        • API String ID: 1297703922-3619404913
                                        • Opcode ID: bdd2898db1baf497f0e3d3e7ea1b35a8204e2c2b346066757b06e9f6e65c2f00
                                        • Instruction ID: ae432c9f89f54c76adadebbe101ba6a6fcf2548fbc8bbfadce82e7adfe69e7bb
                                        • Opcode Fuzzy Hash: bdd2898db1baf497f0e3d3e7ea1b35a8204e2c2b346066757b06e9f6e65c2f00
                                        • Instruction Fuzzy Hash: EE716871140745AFD720DF28CC49F6A7BE5EB9A304F0C4A29F9858B2A1D770E906CF66
                                        Function 00DA4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00DA46AB
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DA46F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharMessageSendUpper
                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                        • API String ID: 3974292440-4258414348
                                        • Opcode ID: baa340f150381ba8c2841c826a895caa3d59cdcde0f04cea81a90a552363b888
                                        • Instruction ID: 7ff2e01f9558772f094802c8c7f2c861fd96db5bb147af7525f11635e3084b8a
                                        • Opcode Fuzzy Hash: baa340f150381ba8c2841c826a895caa3d59cdcde0f04cea81a90a552363b888
                                        • Instruction Fuzzy Hash: A591AD346043118FCB14EF20D451A6EBBA1EF95318F04886DF8965B7A2DB71ED4ACBB1
                                        Function 00DABAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DABB6E
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00DA9431), ref: 00DABBCA
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DABC03
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00DABC46
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DABC7D
                                        • FreeLibrary.KERNEL32(?), ref: 00DABC89
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DABC99
                                        • DestroyCursor.USER32(?), ref: 00DABCA8
                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DABCC5
                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DABCD1
                                          • Part of subcall function 00D4313D: __wcsicmp_l.LIBCMT ref: 00D431C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                        • String ID: .dll$.exe$.icl
                                        • API String ID: 3907162815-1154884017
                                        • Opcode ID: d7ae89c306197baa2b197598940e11b52220a3a0a39b78949664256376a85831
                                        • Instruction ID: 21918664c70c52d098930d343f126063b4ef697b7bf14943d15b58ac9c1e815a
                                        • Opcode Fuzzy Hash: d7ae89c306197baa2b197598940e11b52220a3a0a39b78949664256376a85831
                                        • Instruction Fuzzy Hash: 2661DE71500719BBEB14DF74CC81FBA77A8EB09721F10461AF815D61C2DB74AA91DBB0
                                        Function 00D8A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                        • CharLowerBuffW.USER32(?,?), ref: 00D8A636
                                        • GetDriveTypeW.KERNEL32 ref: 00D8A683
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D8A6CB
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D8A702
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D8A730
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                        • API String ID: 2698844021-4113822522
                                        • Opcode ID: 895a28fa60c69b7c4a5aaac442b6197314cf8339018e334452c36a28b4ecac19
                                        • Instruction ID: 89934f418737196900df53df120dfd085935458c2ba6dd5f7c7c39199c4246b5
                                        • Opcode Fuzzy Hash: 895a28fa60c69b7c4a5aaac442b6197314cf8339018e334452c36a28b4ecac19
                                        • Instruction Fuzzy Hash: 2B5167711087159FC710EF24D89196AB7F8EF94718F04896DF886972A1DB31EE0ACB72
                                        Function 00D8A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D8A47A
                                        • __swprintf.LIBCMT ref: 00D8A49C
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00D8A4D9
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D8A4FE
                                        • _memset.LIBCMT ref: 00D8A51D
                                        • _wcsncpy.LIBCMT ref: 00D8A559
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D8A58E
                                        • CloseHandle.KERNEL32(00000000), ref: 00D8A599
                                        • RemoveDirectoryW.KERNEL32(?), ref: 00D8A5A2
                                        • CloseHandle.KERNEL32(00000000), ref: 00D8A5AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                        • String ID: :$\$\??\%s
                                        • API String ID: 2733774712-3457252023
                                        • Opcode ID: 4b4a1f1f8f391e89190ed4cb6bb83274f4fbbdb476def905e518aca0d8819232
                                        • Instruction ID: bea827d5ed3ed619a7ee75a5f2c72979a22b6c3d62869f51aabc6cd9b03d0613
                                        • Opcode Fuzzy Hash: 4b4a1f1f8f391e89190ed4cb6bb83274f4fbbdb476def905e518aca0d8819232
                                        • Instruction Fuzzy Hash: 903190B6500209ABEB219FA4DC49FEB73BCEF89701F1441B6FA08D2160E77497858B35
                                        Function 00D783F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D7874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D78766
                                          • Part of subcall function 00D7874A: GetLastError.KERNEL32(?,00D7822A,?,?,?), ref: 00D78770
                                          • Part of subcall function 00D7874A: GetProcessHeap.KERNEL32(00000008,?,?,00D7822A,?,?,?), ref: 00D7877F
                                          • Part of subcall function 00D7874A: RtlAllocateHeap.NTDLL(00000000,?,00D7822A), ref: 00D78786
                                          • Part of subcall function 00D7874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D7879D
                                          • Part of subcall function 00D787E7: GetProcessHeap.KERNEL32(00000008,00D78240,00000000,00000000,?,00D78240,?), ref: 00D787F3
                                          • Part of subcall function 00D787E7: RtlAllocateHeap.NTDLL(00000000,?,00D78240), ref: 00D787FA
                                          • Part of subcall function 00D787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D78240,?), ref: 00D7880B
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D78458
                                        • _memset.LIBCMT ref: 00D7846D
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D7848C
                                        • GetLengthSid.ADVAPI32(?), ref: 00D7849D
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00D784DA
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D784F6
                                        • GetLengthSid.ADVAPI32(?), ref: 00D78513
                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D78522
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00D78529
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D7854A
                                        • CopySid.ADVAPI32(00000000), ref: 00D78551
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D78582
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D785A8
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D785BC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                        • String ID:
                                        • API String ID: 2347767575-0
                                        • Opcode ID: 5f2ed6967d21fec6abac160f5cf559c91b56c70e3b6f68d5be52132051447c8a
                                        • Instruction ID: daf4e9c758d167d9ceb87ebb0addb3b991a12c0ee8986b74ea9b4d098cd571f5
                                        • Opcode Fuzzy Hash: 5f2ed6967d21fec6abac160f5cf559c91b56c70e3b6f68d5be52132051447c8a
                                        • Instruction Fuzzy Hash: 5A613C7194020AABDF10DF94DC49AAEBBB9FF05300F14816AE919E7291EB319A05DF70
                                        Function 00D9762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00D976A2
                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00D976AE
                                        • CreateCompatibleDC.GDI32(?), ref: 00D976BA
                                        • SelectObject.GDI32(00000000,?), ref: 00D976C7
                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00D9771B
                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00D97757
                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00D9777B
                                        • SelectObject.GDI32(00000006,?), ref: 00D97783
                                        • DeleteObject.GDI32(?), ref: 00D9778C
                                        • DeleteDC.GDI32(00000006), ref: 00D97793
                                        • ReleaseDC.USER32(00000000,?), ref: 00D9779E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                        • String ID: (
                                        • API String ID: 2598888154-3887548279
                                        • Opcode ID: 5b3661eada9748eedf3cc5bde2c7754673a667c4f5a8ed7da28ea2385b3465db
                                        • Instruction ID: 10889f6421919d238a0439cfc2318690f05acc0bab3f51e8635f9a38ec722364
                                        • Opcode Fuzzy Hash: 5b3661eada9748eedf3cc5bde2c7754673a667c4f5a8ed7da28ea2385b3465db
                                        • Instruction Fuzzy Hash: 23512875904309EFCB15CFA8CC85EAEBBB9EF49710F14856DF99997310D731A9408B60
                                        Function 00D8A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,00DAFB78), ref: 00D8A0FC
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 00D8A11E
                                        • __swprintf.LIBCMT ref: 00D8A177
                                        • __swprintf.LIBCMT ref: 00D8A190
                                        • _wprintf.LIBCMT ref: 00D8A246
                                        • _wprintf.LIBCMT ref: 00D8A264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 311963372-2391861430
                                        • Opcode ID: 50d8d514aa3aa3218fb566d2319ad82c4b167760d8006b98e52f7fc52d7a58d7
                                        • Instruction ID: 44588a5a4af84e4636cf587d97c0136ae3aa4cd70500b666de97da534784a728
                                        • Opcode Fuzzy Hash: 50d8d514aa3aa3218fb566d2319ad82c4b167760d8006b98e52f7fc52d7a58d7
                                        • Instruction Fuzzy Hash: 6E517D7190021AAADF25FBA4DD86EEEB778EF24304F140165F505721A1EB316F48DB71
                                        Function 00D26BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D40B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00D26C6C,?,00008000), ref: 00D40BB7
                                          • Part of subcall function 00D248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D248A1,?,?,00D237C0,?), ref: 00D248CE
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D26D0D
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00D26E5A
                                          • Part of subcall function 00D259CD: _wcscpy.LIBCMT ref: 00D25A05
                                          • Part of subcall function 00D4387D: _iswctype.LIBCMT ref: 00D43885
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                        • API String ID: 537147316-1018226102
                                        • Opcode ID: 1a6bd549369789218a4ce05e93d362569491e0609ef04c87bce4d9e9801bbf88
                                        • Instruction ID: 1f1990cc1937ad9c4d7a8056ba4eb508331660426b4c7a8ec15533d296ff309e
                                        • Opcode Fuzzy Hash: 1a6bd549369789218a4ce05e93d362569491e0609ef04c87bce4d9e9801bbf88
                                        • Instruction Fuzzy Hash: ED027E311083519FCB24EF24D891AAFBBE5EFA5318F04491DF895972A1DB30DA49CB72
                                        Function 00D245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D245F9
                                        • GetMenuItemCount.USER32(00DE6890), ref: 00D5D7CD
                                        • GetMenuItemCount.USER32(00DE6890), ref: 00D5D87D
                                        • GetCursorPos.USER32(?), ref: 00D5D8C1
                                        • SetForegroundWindow.USER32(00000000), ref: 00D5D8CA
                                        • TrackPopupMenuEx.USER32(00DE6890,00000000,?,00000000,00000000,00000000), ref: 00D5D8DD
                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D5D8E9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                        • String ID:
                                        • API String ID: 2751501086-0
                                        • Opcode ID: e1a7c0a5887850f9d12077757d7008ec0a3b34c5b381799bbd2384bd244ac2ca
                                        • Instruction ID: a3feab52d99a0f0157a44800da3df9fd8cc1d2e7b792e959fab252c3d99a71a4
                                        • Opcode Fuzzy Hash: e1a7c0a5887850f9d12077757d7008ec0a3b34c5b381799bbd2384bd244ac2ca
                                        • Instruction Fuzzy Hash: 3E71E270601215BAEF309F54DC85FAABF65FB0536AF240216FD15A61E1CBB19814DBB0
                                        Function 00DA10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA0038,?,?), ref: 00DA10BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                        • API String ID: 3964851224-909552448
                                        • Opcode ID: 4bc3e3a014359e9d02f9b3c41d8a70c596d070efee3f447b64cc2d7238cdb105
                                        • Instruction ID: 7a525526132ff6c2d1fcf4ffab417681f4fbfa4302850514657da7945a77264f
                                        • Opcode Fuzzy Hash: 4bc3e3a014359e9d02f9b3c41d8a70c596d070efee3f447b64cc2d7238cdb105
                                        • Instruction Fuzzy Hash: 2B41273455035ACBCF10EF90E892AEA3724EF22354F55445AED915B792DB30E91ACB70
                                        Function 00D85569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                          • Part of subcall function 00D27A84: _memmove.LIBCMT ref: 00D27B0D
                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D855D2
                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D855E8
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D855F9
                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D8560B
                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D8561C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: SendString$_memmove
                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                        • API String ID: 2279737902-1007645807
                                        • Opcode ID: f34f4a6b78d04e8a7bd68b2f6c513628b9ec85fd71967984f370c840a4a24fb1
                                        • Instruction ID: 0a2faf0a5fb8742d4c156f8b233996ed032c75cd1047d1644879098a8300f6fd
                                        • Opcode Fuzzy Hash: f34f4a6b78d04e8a7bd68b2f6c513628b9ec85fd71967984f370c840a4a24fb1
                                        • Instruction Fuzzy Hash: 3911C4209901697DD730F7A5EC4ADFF7B7DEFA1B04F44046AB401A21D5EE605D09C6B1
                                        Function 00D848F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                        • String ID: 0.0.0.0
                                        • API String ID: 208665112-3771769585
                                        • Opcode ID: 0942d71c86b12031e0b603fb45b3b2134bdba5d486f28902899a51fcf8c9021e
                                        • Instruction ID: ac86f2f975526f097387310c5ce2a535718abb525754373b62d55063e206403b
                                        • Opcode Fuzzy Hash: 0942d71c86b12031e0b603fb45b3b2134bdba5d486f28902899a51fcf8c9021e
                                        • Instruction Fuzzy Hash: FC11C031904216ABCB30BBA4AC4AEEB77ACDF01720F4541BAF449D6191EF749A858B71
                                        Function 00D85217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 00D8521C
                                          • Part of subcall function 00D40719: timeGetTime.WINMM(?,75A4B400,00D30FF9), ref: 00D4071D
                                        • Sleep.KERNEL32(0000000A), ref: 00D85248
                                        • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00D8526C
                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D8528E
                                        • SetActiveWindow.USER32 ref: 00D852AD
                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D852BB
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00D852DA
                                        • Sleep.KERNEL32(000000FA), ref: 00D852E5
                                        • IsWindow.USER32 ref: 00D852F1
                                        • EndDialog.USER32(00000000), ref: 00D85302
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                        • String ID: BUTTON
                                        • API String ID: 1194449130-3405671355
                                        • Opcode ID: 27b1edba71a1bd42b882b81cabde618b9922881d9a25d799ef010c6e5f2dc172
                                        • Instruction ID: 9f3d11523b55fd3beca1af773334d605b23847edee4ec2d025164cb17efd4c73
                                        • Opcode Fuzzy Hash: 27b1edba71a1bd42b882b81cabde618b9922881d9a25d799ef010c6e5f2dc172
                                        • Instruction Fuzzy Hash: 9E21A170204B44AFE7007BA0FDC8B3A3BA9EB56386F081464F101C93B1CBA19C019B75
                                        Function 00D8D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                        • CoInitialize.OLE32(00000000), ref: 00D8D855
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D8D8E8
                                        • SHGetDesktopFolder.SHELL32(?), ref: 00D8D8FC
                                        • CoCreateInstance.COMBASE(00DB2D7C,00000000,00000001,00DDA89C,?), ref: 00D8D948
                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D8D9B7
                                        • CoTaskMemFree.COMBASE(?), ref: 00D8DA0F
                                        • _memset.LIBCMT ref: 00D8DA4C
                                        • SHBrowseForFolderW.SHELL32(?), ref: 00D8DA88
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D8DAAB
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00D8DAB2
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00D8DAE9
                                        • CoUninitialize.COMBASE ref: 00D8DAEB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                        • String ID:
                                        • API String ID: 1246142700-0
                                        • Opcode ID: f69247cd4de838ff3dd4e337d0566f2f86655a512aae370180de04ef57b63315
                                        • Instruction ID: 9b0a0346a4fdebf690fb5c4ea56e79002fb390365b5aa29e3ac7bcf4e013546d
                                        • Opcode Fuzzy Hash: f69247cd4de838ff3dd4e337d0566f2f86655a512aae370180de04ef57b63315
                                        • Instruction Fuzzy Hash: 88B1ED75A00119AFDB04EFA4D884DAEBBF9EF49314F1484A9F509EB291DB30ED45CB60
                                        Function 00D8052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 00D805A7
                                        • SetKeyboardState.USER32(?), ref: 00D80612
                                        • GetAsyncKeyState.USER32(000000A0), ref: 00D80632
                                        • GetKeyState.USER32(000000A0), ref: 00D80649
                                        • GetAsyncKeyState.USER32(000000A1), ref: 00D80678
                                        • GetKeyState.USER32(000000A1), ref: 00D80689
                                        • GetAsyncKeyState.USER32(00000011), ref: 00D806B5
                                        • GetKeyState.USER32(00000011), ref: 00D806C3
                                        • GetAsyncKeyState.USER32(00000012), ref: 00D806EC
                                        • GetKeyState.USER32(00000012), ref: 00D806FA
                                        • GetAsyncKeyState.USER32(0000005B), ref: 00D80723
                                        • GetKeyState.USER32(0000005B), ref: 00D80731
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 42823b12d987daa6f2759724bf66f03a81bd65d44ad9fba6e137a600e6572651
                                        • Instruction ID: 1b17cb43ecee7a6c8639d3431fe0a6187761b2b36734d109d7abe1066dadaff2
                                        • Opcode Fuzzy Hash: 42823b12d987daa6f2759724bf66f03a81bd65d44ad9fba6e137a600e6572651
                                        • Instruction Fuzzy Hash: C951DA74A047882AFB75FBB088557EABFB89F01380F0C45D9D5C2565C2EA649B4CCB71
                                        Function 00D7C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000001), ref: 00D7C746
                                        • GetWindowRect.USER32(00000000,?), ref: 00D7C758
                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D7C7B6
                                        • GetDlgItem.USER32(?,00000002), ref: 00D7C7C1
                                        • GetWindowRect.USER32(00000000,?), ref: 00D7C7D3
                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D7C827
                                        • GetDlgItem.USER32(?,000003E9), ref: 00D7C835
                                        • GetWindowRect.USER32(00000000,?), ref: 00D7C846
                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D7C889
                                        • GetDlgItem.USER32(?,000003EA), ref: 00D7C897
                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D7C8B4
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00D7C8C1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$ItemMoveRect$Invalidate
                                        • String ID:
                                        • API String ID: 3096461208-0
                                        • Opcode ID: 7f14fca1c53aa5e53d29f0960a637eacb20cdb48fea6eb17418216384366b10f
                                        • Instruction ID: 8e537abf0bcb7a2fd75d7f99f7a556f411a63e0ea0b1dfad373ff11d4aa578fa
                                        • Opcode Fuzzy Hash: 7f14fca1c53aa5e53d29f0960a637eacb20cdb48fea6eb17418216384366b10f
                                        • Instruction Fuzzy Hash: F0514471B10305AFDB18CFA9DD85AAEBBB6EB89311F18816DF51AD7290D7709D00CB60
                                        Function 00D221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D225DB: GetWindowLongW.USER32(?,000000EB), ref: 00D225EC
                                        • GetSysColor.USER32(0000000F), ref: 00D221D3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ColorLongWindow
                                        • String ID:
                                        • API String ID: 259745315-0
                                        • Opcode ID: 3adb11b8897382bbf6da1c5cf5059ec75374743023274bad82a2d0cef77d44c6
                                        • Instruction ID: b6558102ce8aadef6af03811123676e8c957641a6a7a8bb62515baf0c5a68175
                                        • Opcode Fuzzy Hash: 3adb11b8897382bbf6da1c5cf5059ec75374743023274bad82a2d0cef77d44c6
                                        • Instruction Fuzzy Hash: E8419F31000750EEDB255F68EC88BB93B65EF16325F1843A5FDA59A2E2C7328C42DB35
                                        Function 00D8AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?,00DAF910), ref: 00D8AB76
                                        • GetDriveTypeW.KERNEL32(00000061,00DDA620,00000061), ref: 00D8AC40
                                        • _wcscpy.LIBCMT ref: 00D8AC6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharDriveLowerType_wcscpy
                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                        • API String ID: 2820617543-1000479233
                                        • Opcode ID: 080a503b1b27150ba25fae1d6a3e71634348ac444399abd8ff389a9a66bdc1b3
                                        • Instruction ID: ccfeb12ee59127b9550e5abf539b4cba7282110e2a5c74dbca8392b08587316c
                                        • Opcode Fuzzy Hash: 080a503b1b27150ba25fae1d6a3e71634348ac444399abd8ff389a9a66bdc1b3
                                        • Instruction Fuzzy Hash: 91518D305083119BD710EF18D891EAAB7A5EF94304F54882EF596972A2EB31ED49CB73
                                        Function 00D29997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __i64tow__itow__swprintf
                                        • String ID: %.15g$0x%p$False$True
                                        • API String ID: 421087845-2263619337
                                        • Opcode ID: 0fa5c3b1ccb9a9a315bf88f938af4689acaa13d9819271efe262143ac7a73146
                                        • Instruction ID: 45a508c1656e027ddbdde78daa286f2b35d3c43f894a7a4b603b5d3adae154f3
                                        • Opcode Fuzzy Hash: 0fa5c3b1ccb9a9a315bf88f938af4689acaa13d9819271efe262143ac7a73146
                                        • Instruction Fuzzy Hash: 2C410771504615AFDF24DB38E842E7AB3E8EF48314F24446FE989DB281EA31D9458F31
                                        Function 00DA73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00DA73D9
                                        • CreateMenu.USER32 ref: 00DA73F4
                                        • SetMenu.USER32(?,00000000), ref: 00DA7403
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DA7490
                                        • IsMenu.USER32(?), ref: 00DA74A6
                                        • CreatePopupMenu.USER32 ref: 00DA74B0
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DA74DD
                                        • DrawMenuBar.USER32 ref: 00DA74E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                        • String ID: 0$F
                                        • API String ID: 176399719-3044882817
                                        • Opcode ID: 17dba65fde358b821d7d0c9dbae547a1523c50ae3e32f183d238abd4a3c20448
                                        • Instruction ID: f2dc89d0971ad92b4105a88528e7f61f648b7647dcb6e09b679181e0a8a6681e
                                        • Opcode Fuzzy Hash: 17dba65fde358b821d7d0c9dbae547a1523c50ae3e32f183d238abd4a3c20448
                                        • Instruction Fuzzy Hash: 13415675A01309EFDB20DFA4DD84AAABBF9FF4A340F184068F955973A0D771A910CB60
                                        Function 00DA772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00DA77CD
                                        • CreateCompatibleDC.GDI32(00000000), ref: 00DA77D4
                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00DA77E7
                                        • SelectObject.GDI32(00000000,00000000), ref: 00DA77EF
                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00DA77FA
                                        • DeleteDC.GDI32(00000000), ref: 00DA7803
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00DA780D
                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00DA7821
                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00DA782D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                        • String ID: static
                                        • API String ID: 2559357485-2160076837
                                        • Opcode ID: 145ad52d917376bd6de3b225ece32e21ae50925b5982f83f5fe307b34cf20512
                                        • Instruction ID: 1bb14f35ab50f2b8b111e7ba677b4da31929e91a6ccd0f50afb527c018082021
                                        • Opcode Fuzzy Hash: 145ad52d917376bd6de3b225ece32e21ae50925b5982f83f5fe307b34cf20512
                                        • Instruction Fuzzy Hash: 7E318832104215ABDF129FB4DC08FEB3B69EF0A361F150225FA55E62A0C735D821DBB4
                                        Function 00D47040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D4707B
                                          • Part of subcall function 00D48D68: __getptd_noexit.LIBCMT ref: 00D48D68
                                        • __gmtime64_s.LIBCMT ref: 00D47114
                                        • __gmtime64_s.LIBCMT ref: 00D4714A
                                        • __gmtime64_s.LIBCMT ref: 00D47167
                                        • __allrem.LIBCMT ref: 00D471BD
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D471D9
                                        • __allrem.LIBCMT ref: 00D471F0
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D4720E
                                        • __allrem.LIBCMT ref: 00D47225
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D47243
                                        • __invoke_watson.LIBCMT ref: 00D472B4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                        • String ID:
                                        • API String ID: 384356119-0
                                        • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                        • Instruction ID: ff85a4f54db2dbad9db759c58dd13cff8a64dcb36804dc7eff4251d2ccd23de5
                                        • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                        • Instruction Fuzzy Hash: 8871D771A05716ABDB149E79CC82B6AB3B8FF14364F18423AF914E7281E770D94487F4
                                        Function 00D82A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D82A31
                                        • GetMenuItemInfoW.USER32(00DE6890,000000FF,00000000,00000030), ref: 00D82A92
                                        • SetMenuItemInfoW.USER32(00DE6890,00000004,00000000,00000030), ref: 00D82AC8
                                        • Sleep.KERNEL32(000001F4), ref: 00D82ADA
                                        • GetMenuItemCount.USER32(?), ref: 00D82B1E
                                        • GetMenuItemID.USER32(?,00000000), ref: 00D82B3A
                                        • GetMenuItemID.USER32(?,-00000001), ref: 00D82B64
                                        • GetMenuItemID.USER32(?,?), ref: 00D82BA9
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D82BEF
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D82C03
                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D82C24
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                        • String ID:
                                        • API String ID: 4176008265-0
                                        • Opcode ID: deff456a9387a128e63ed4fea374b8f4c12b8c52af7f4ab1f85663eb354505cf
                                        • Instruction ID: 9aac90392797968d88979d8cece2049caae47f77406e3751b77bea0a036abfc7
                                        • Opcode Fuzzy Hash: deff456a9387a128e63ed4fea374b8f4c12b8c52af7f4ab1f85663eb354505cf
                                        • Instruction Fuzzy Hash: 37617DB0901349AFDB21EFA4D888EBEBBB9EF41348F180559E88197251D731AE45DB31
                                        Function 00DA7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DA7214
                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DA7217
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00DA723B
                                        • _memset.LIBCMT ref: 00DA724C
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DA725E
                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DA72D6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow_memset
                                        • String ID:
                                        • API String ID: 830647256-0
                                        • Opcode ID: 06b5d96153972ac501c59ab270e8477564e4b599287d494e7e40c4dcd4104f46
                                        • Instruction ID: 8b7128ecdaf69b54a62362360e097c346db59bde21e8123f732298adc59e3a95
                                        • Opcode Fuzzy Hash: 06b5d96153972ac501c59ab270e8477564e4b599287d494e7e40c4dcd4104f46
                                        • Instruction Fuzzy Hash: CE613875A00248AFDB10DFA4CC81EEE77F8EB0A710F144159FA15EB2A1D770AA45DBA0
                                        Function 00D7710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D77135
                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00D7718E
                                        • VariantInit.OLEAUT32(?), ref: 00D771A0
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00D771C0
                                        • VariantCopy.OLEAUT32(?,?), ref: 00D77213
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00D77227
                                        • VariantClear.OLEAUT32(?), ref: 00D7723C
                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00D77249
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D77252
                                        • VariantClear.OLEAUT32(?), ref: 00D77264
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D7726F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                        • String ID:
                                        • API String ID: 2706829360-0
                                        • Opcode ID: 934cb41bc1d907805334fd211d3220c01be77bb8c5d251bf15a7ea44223bd746
                                        • Instruction ID: 98eccbec0a11972e422c2c255910d94972e11add9d65b67106b62d60419bb4f9
                                        • Opcode Fuzzy Hash: 934cb41bc1d907805334fd211d3220c01be77bb8c5d251bf15a7ea44223bd746
                                        • Instruction Fuzzy Hash: 09413D35A04219AFCB00DFA8D8449AEBBB9FF49354F00C469F959E7361DB70A945CBB0
                                        Function 00D99428 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$_memset
                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                        • API String ID: 2862541840-1765764032
                                        • Opcode ID: 626086c40956905a2c40d7ae19cf45fde921c8834291a8dcd69409004278c4d9
                                        • Instruction ID: 6d1f1a28e3178b616041ef163bb2216f8337a348d3ccc243bd6c2ede04e4db85
                                        • Opcode Fuzzy Hash: 626086c40956905a2c40d7ae19cf45fde921c8834291a8dcd69409004278c4d9
                                        • Instruction Fuzzy Hash: 8B919D71A00219ABDF24DFA9C854FAEBBB8EF45314F14855EF515AB280D7709905CFB0
                                        Function 00D95A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000101,?), ref: 00D95AA6
                                        • inet_addr.WS2_32(?), ref: 00D95AEB
                                        • gethostbyname.WS2_32(?), ref: 00D95AF7
                                        • IcmpCreateFile.IPHLPAPI ref: 00D95B05
                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D95B75
                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D95B8B
                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00D95C00
                                        • WSACleanup.WS2_32 ref: 00D95C06
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                        • String ID: Ping
                                        • API String ID: 1028309954-2246546115
                                        • Opcode ID: 5ebc68a16029de97776b05fc0a8503081bbde09c92c1120c38d07f016239cf93
                                        • Instruction ID: d6448574854cbbb9911fe0bdff9aee484ca4f7b0ddff1109e5bae3023d3de01a
                                        • Opcode Fuzzy Hash: 5ebc68a16029de97776b05fc0a8503081bbde09c92c1120c38d07f016239cf93
                                        • Instruction Fuzzy Hash: 0651AF316047009FDB11EF24EC45B2AB7E0EF48314F08896AF999DB2A5DB70E800CB75
                                        Function 00D362F2 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • failed to get memory, xrefs: 00D36488
                                        • internal error: missing capturing bracket, xrefs: 00D71158
                                        • ERCP, xrefs: 00D36313
                                        • argument not compiled in 16 bit mode, xrefs: 00D71150
                                        • argument is not a compiled regular expression, xrefs: 00D71160
                                        • internal error: opcode not recognized, xrefs: 00D3647D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memset$_memmove
                                        • String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
                                        • API String ID: 2532777613-264027815
                                        • Opcode ID: 4d1f92301beb08807a57882b591bbdb8eb4a8c5f9121ab527f241bfc0f46b85f
                                        • Instruction ID: 7ef3c4df03a1e0ddd83307f0d2678263830fd19b688462ee14cb4306cd1ff80a
                                        • Opcode Fuzzy Hash: 4d1f92301beb08807a57882b591bbdb8eb4a8c5f9121ab527f241bfc0f46b85f
                                        • Instruction Fuzzy Hash: 6B518171904709EBDB24CF65C881BAABBF4EF04714F24C56EEA8ACB241E771D584CB60
                                        Function 00D8B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00D8B73B
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D8B7B1
                                        • GetLastError.KERNEL32 ref: 00D8B7BB
                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00D8B828
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Error$Mode$DiskFreeLastSpace
                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                        • API String ID: 4194297153-14809454
                                        • Opcode ID: 9b12cd22957c2cfcf4a1ebb6a0e39ebf86360471346200c22bf50e1246a5be80
                                        • Instruction ID: 80101cdc893c5c557a77877d67b39c2f129627fec72df333a6f1073e4ea83172
                                        • Opcode Fuzzy Hash: 9b12cd22957c2cfcf4a1ebb6a0e39ebf86360471346200c22bf50e1246a5be80
                                        • Instruction Fuzzy Hash: 21318035A00305AFDB10FF68DC85ABEBBB8EF55724F14806AE801D7291DB719946CB71
                                        Function 00D79471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00D7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D7B0E7
                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D794F6
                                        • GetDlgCtrlID.USER32 ref: 00D79501
                                        • GetParent.USER32 ref: 00D7951D
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00D79520
                                        • GetDlgCtrlID.USER32(?), ref: 00D79529
                                        • GetParent.USER32(?), ref: 00D79545
                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00D79548
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 1536045017-1403004172
                                        • Opcode ID: 29b987963741dfc3c2b3a292527fc0a035c85e3c8c32889e2735449eda8dd4e0
                                        • Instruction ID: b56f574a8e1b187fd97005f3b540205a5c921443709465e46d7d45600438a8ae
                                        • Opcode Fuzzy Hash: 29b987963741dfc3c2b3a292527fc0a035c85e3c8c32889e2735449eda8dd4e0
                                        • Instruction Fuzzy Hash: C1212470A00204BBCF00ABA0DC95EFEBB75EF45310F14416AB561932E1EB359818CB30
                                        Function 00D7955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00D7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D7B0E7
                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D795DF
                                        • GetDlgCtrlID.USER32 ref: 00D795EA
                                        • GetParent.USER32 ref: 00D79606
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00D79609
                                        • GetDlgCtrlID.USER32(?), ref: 00D79612
                                        • GetParent.USER32(?), ref: 00D7962E
                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00D79631
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 1536045017-1403004172
                                        • Opcode ID: e5f636a0a4d143406c45ad1b22184c86e8b55b370f06e84b6b7b390e654aa7f6
                                        • Instruction ID: f06e3a1902c3c870d18bcb83a8eca4dc0f729a394114235b1d86551ca0595263
                                        • Opcode Fuzzy Hash: e5f636a0a4d143406c45ad1b22184c86e8b55b370f06e84b6b7b390e654aa7f6
                                        • Instruction Fuzzy Hash: E621D071A00204BBDF00ABA0DC95EFEBB78EF59300F144166F961972A5EB7599199B30
                                        Function 00D79645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32 ref: 00D79651
                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00D79666
                                        • _wcscmp.LIBCMT ref: 00D79678
                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D796F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameParentSend_wcscmp
                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                        • API String ID: 1704125052-3381328864
                                        • Opcode ID: 6a5479f5d5596f5d32a4bd048ad8d2e6f3534f0c21a9ac92c360c7a2ba7cbfb0
                                        • Instruction ID: 3ef9a066839bd195436337209cb8a0d89b4b5c3f2fbea7f93b727100b5569cb2
                                        • Opcode Fuzzy Hash: 6a5479f5d5596f5d32a4bd048ad8d2e6f3534f0c21a9ac92c360c7a2ba7cbfb0
                                        • Instruction Fuzzy Hash: EB112C77248307BFFA052624EC27DAAF79CDB05360F244267FA04E51D1FE62A9154678
                                        Function 00D98BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00D98BEC
                                        • CoInitialize.OLE32(00000000), ref: 00D98C19
                                        • CoUninitialize.COMBASE ref: 00D98C23
                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00D98D23
                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00D98E50
                                        • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00DB2C0C), ref: 00D98E84
                                        • CoGetObject.OLE32(?,00000000,00DB2C0C,?), ref: 00D98EA7
                                        • SetErrorMode.KERNEL32(00000000), ref: 00D98EBA
                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D98F3A
                                        • VariantClear.OLEAUT32(?), ref: 00D98F4A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                        • String ID:
                                        • API String ID: 2395222682-0
                                        • Opcode ID: 0b21488004d3c3130effff8b9a928c9cb8065ef3ce26bfce20256d3d725eae5a
                                        • Instruction ID: f29e019cb38da64aa7149f2b5cf583c96a394961f40cc606f6097087d67eae9f
                                        • Opcode Fuzzy Hash: 0b21488004d3c3130effff8b9a928c9cb8065ef3ce26bfce20256d3d725eae5a
                                        • Instruction Fuzzy Hash: 84C102B1208305AFDB00DF64C89492AB7E9FF8A748F04496DF58ADB251DB71ED05CB62
                                        Function 00D84189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __swprintf.LIBCMT ref: 00D8419D
                                        • __swprintf.LIBCMT ref: 00D841AA
                                          • Part of subcall function 00D438D8: __woutput_l.LIBCMT ref: 00D43931
                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 00D841D4
                                        • LoadResource.KERNEL32(?,00000000), ref: 00D841E0
                                        • LockResource.KERNEL32(00000000), ref: 00D841ED
                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 00D8420D
                                        • LoadResource.KERNEL32(?,00000000), ref: 00D8421F
                                        • SizeofResource.KERNEL32(?,00000000), ref: 00D8422E
                                        • LockResource.KERNEL32(?), ref: 00D8423A
                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00D8429B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                        • String ID:
                                        • API String ID: 1433390588-0
                                        • Opcode ID: 7b32c847a8d50d7dc72a0e4b0cbdf54d4c87bbac6e1aee6447e0724a181b9afe
                                        • Instruction ID: a0e71d3d76187caadaabea4f669eb1417ba8c290b44eb015d2b5a60b7b73381a
                                        • Opcode Fuzzy Hash: 7b32c847a8d50d7dc72a0e4b0cbdf54d4c87bbac6e1aee6447e0724a181b9afe
                                        • Instruction Fuzzy Hash: A331AEB160531AABDB11AFA0EC88BBF7BACEF09301F044565F801D6250D734DA518BB8
                                        Function 00D816DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00D81700
                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D80778,?,00000001), ref: 00D81714
                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00D8171B
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D80778,?,00000001), ref: 00D8172A
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D8173C
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D80778,?,00000001), ref: 00D81755
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D80778,?,00000001), ref: 00D81767
                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D80778,?,00000001), ref: 00D817AC
                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00D80778,?,00000001), ref: 00D817C1
                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00D80778,?,00000001), ref: 00D817CC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                        • String ID:
                                        • API String ID: 2156557900-0
                                        • Opcode ID: 3156e7ec54583df8a1238d604ac09c993c4bf8e80ec0e41fafbee5fa87ea52d2
                                        • Instruction ID: db846a63e7dd4eb754cfd15ad9df7dd5c26b3515e58012c8140ef26e3836102e
                                        • Opcode Fuzzy Hash: 3156e7ec54583df8a1238d604ac09c993c4bf8e80ec0e41fafbee5fa87ea52d2
                                        • Instruction Fuzzy Hash: 40318979604304FBEB61BF64EC88F697BADAF56711F184069F804CA3A0D7B49D468B70
                                        Function 00D7A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumChildWindows.USER32(?,00D7AA64), ref: 00D7A9A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ChildEnumWindows
                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                        • API String ID: 3555792229-1603158881
                                        • Opcode ID: e415c9e6cd7403ff3f31606fb8d617352c0048077a4492ae1d845dbb42a957b4
                                        • Instruction ID: c00110d39c08fe285074c5b534b79957d71d331a5a19055db06167d246881c23
                                        • Opcode Fuzzy Hash: e415c9e6cd7403ff3f31606fb8d617352c0048077a4492ae1d845dbb42a957b4
                                        • Instruction Fuzzy Hash: 49916F30A00606ABDB18DF68C481BEDFB64FF44314F54C119E99EA7651EB30AA59CFB1
                                        Function 00D22E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000EB), ref: 00D22EAE
                                          • Part of subcall function 00D21DB3: GetClientRect.USER32(?,?), ref: 00D21DDC
                                          • Part of subcall function 00D21DB3: GetWindowRect.USER32(?,?), ref: 00D21E1D
                                          • Part of subcall function 00D21DB3: ScreenToClient.USER32(?,?), ref: 00D21E45
                                        • GetDC.USER32 ref: 00D5CF82
                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D5CF95
                                        • SelectObject.GDI32(00000000,00000000), ref: 00D5CFA3
                                        • SelectObject.GDI32(00000000,00000000), ref: 00D5CFB8
                                        • ReleaseDC.USER32(?,00000000), ref: 00D5CFC0
                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D5D04B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                        • String ID: U
                                        • API String ID: 4009187628-3372436214
                                        • Opcode ID: 0cc3ccc99c4d5d1c6930d8af7a7ab2a642d5a99e1d3e405cc25987364f9b1353
                                        • Instruction ID: 22ab7b97ec287ef022afd3f190d82bad568f5acf9a7983b15a3973a16dfb31e1
                                        • Opcode Fuzzy Hash: 0cc3ccc99c4d5d1c6930d8af7a7ab2a642d5a99e1d3e405cc25987364f9b1353
                                        • Instruction Fuzzy Hash: B571BF30400205EFCF219F68D880ABA7BB6FF59356F184269FD959A2A5C731CC45DB70
                                        Function 00DA6FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DA7093
                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00DA70A7
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DA70C1
                                        • _wcscat.LIBCMT ref: 00DA711C
                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00DA7133
                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DA7161
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window_wcscat
                                        • String ID: -----$SysListView32
                                        • API String ID: 307300125-3975388722
                                        • Opcode ID: 1bd86a8a978cd56979d6b12b40b6f8de96c572b84b661daa71e83a32de1064c0
                                        • Instruction ID: 6e0fb31ebc227f463bb1adeddefba4f37ef6ca6897613f0679874aa6ef07bf08
                                        • Opcode Fuzzy Hash: 1bd86a8a978cd56979d6b12b40b6f8de96c572b84b661daa71e83a32de1064c0
                                        • Instruction Fuzzy Hash: 4141A071A04308AFDB219FA4CC85BEE77F8EF09354F14086AF984E7292D6719D848B74
                                        Function 00D98F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00DAF910), ref: 00D9903D
                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00DAF910), ref: 00D99071
                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D991EB
                                        • SysFreeString.OLEAUT32(?), ref: 00D99215
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                        • String ID:
                                        • API String ID: 560350794-0
                                        • Opcode ID: 589ba37dea988972215f602e2b97d4506df8df61c278aca5e370b426a043bebc
                                        • Instruction ID: 207964d12c82ef87a831b0d3a454010bde9fa3797d27a31d10b7b62f6965c4f0
                                        • Opcode Fuzzy Hash: 589ba37dea988972215f602e2b97d4506df8df61c278aca5e370b426a043bebc
                                        • Instruction Fuzzy Hash: 19F14C71A00209EFDF04DF98C898EAEB7B9FF49315F148099F515AB290DB31AE45CB60
                                        Function 00D9F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D9F9C9
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D9FB5C
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D9FB80
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D9FBC0
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D9FBE2
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D9FD5E
                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00D9FD90
                                        • CloseHandle.KERNEL32(?), ref: 00D9FDBF
                                        • CloseHandle.KERNEL32(?), ref: 00D9FE36
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                        • String ID:
                                        • API String ID: 4090791747-0
                                        • Opcode ID: e6a4efaaa600118607b4cc5edfc3d2921e61fd13d05f1f6e53074ba6834d3e7c
                                        • Instruction ID: a5fb5556fbc710781d30cc662bd9f823df07132199c7137d3c65dea6e9083b25
                                        • Opcode Fuzzy Hash: e6a4efaaa600118607b4cc5edfc3d2921e61fd13d05f1f6e53074ba6834d3e7c
                                        • Instruction Fuzzy Hash: 0CE1A031604341DFCB14EF24D891A6ABBE1EF85354F18896DF8999B2A2DB31DC44CB72
                                        Function 00D2201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D22036,?,00000000,?,?,?,?,00D216CB,00000000,?), ref: 00D21B9A
                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D220D3
                                        • KillTimer.USER32(-00000001,?,?,?,?,00D216CB,00000000,?,?,00D21AE2,?,?), ref: 00D2216E
                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00D5BEF6
                                        • DeleteObject.GDI32(00000000), ref: 00D5BF6C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                        • String ID:
                                        • API String ID: 2402799130-0
                                        • Opcode ID: 31df378df6df0fb0263dc3db1d5868e0d6bce698d327e6e566a5aad297111177
                                        • Instruction ID: fc2a8dca3ffbd5605436611d41405a01620e79c3bb91736ee42d924f240c2acd
                                        • Opcode Fuzzy Hash: 31df378df6df0fb0263dc3db1d5868e0d6bce698d327e6e566a5aad297111177
                                        • Instruction Fuzzy Hash: 02616C31100760EFCB25AF14ED88B3577B1FF6131AF184569E9828AAA0C775E895DFB0
                                        Function 00D84F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D838D3,?), ref: 00D848C7
                                          • Part of subcall function 00D848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D838D3,?), ref: 00D848E0
                                          • Part of subcall function 00D84CD3: GetFileAttributesW.KERNEL32(?,00D83947), ref: 00D84CD4
                                        • lstrcmpiW.KERNEL32(?,?), ref: 00D84FE2
                                        • _wcscmp.LIBCMT ref: 00D84FFC
                                        • MoveFileW.KERNEL32(?,?), ref: 00D85017
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                        • String ID:
                                        • API String ID: 793581249-0
                                        • Opcode ID: 8ee44a4ca615d6943eea6b84f5c909d84851f32a5ac52e8b32c8f1b97536eb6a
                                        • Instruction ID: 05a8edd53877fceeb3a5af2f62a048c13ca1436be7bf60542b7433a3bce8eb7b
                                        • Opcode Fuzzy Hash: 8ee44a4ca615d6943eea6b84f5c909d84851f32a5ac52e8b32c8f1b97536eb6a
                                        • Instruction Fuzzy Hash: A05152B20087859BC724EBA0D8819DFB3ECEF85341F44492EB289D3151EF74A68C8776
                                        Function 00DA88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00DA896E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: InvalidateRect
                                        • String ID:
                                        • API String ID: 634782764-0
                                        • Opcode ID: b8610e27ab2a5a5b21c1c488e34f191d395f4212706c75ba694462ba2fb05199
                                        • Instruction ID: 0e0b004761860296ac387c60f14c846c01733784413f9049487211b25feed092
                                        • Opcode Fuzzy Hash: b8610e27ab2a5a5b21c1c488e34f191d395f4212706c75ba694462ba2fb05199
                                        • Instruction Fuzzy Hash: B051B330A00204BFDF209F24DC89B6A7B65FB06354F644512FD51E62A1DF75E980ABB1
                                        Function 00D22B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D5C547
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D5C569
                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D5C581
                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D5C59F
                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D5C5C0
                                        • DestroyCursor.USER32(00000000), ref: 00D5C5CF
                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D5C5EC
                                        • DestroyCursor.USER32(?), ref: 00D5C5FB
                                          • Part of subcall function 00DAA71E: DeleteObject.GDI32(00000000), ref: 00DAA757
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                        • String ID:
                                        • API String ID: 2975913752-0
                                        • Opcode ID: ec13dd1296582352942999b9dfc161a0e900d0984bca44b18d5dbd22a6b6412e
                                        • Instruction ID: 02eaf3c87ededa60079ad2a2b67b9c24dde5cedf3a3ef1ce080aebc60c80ff2b
                                        • Opcode Fuzzy Hash: ec13dd1296582352942999b9dfc161a0e900d0984bca44b18d5dbd22a6b6412e
                                        • Instruction Fuzzy Hash: 02514670610309AFDB20DF64DC85BAA3BB5EB69355F140528F942E72A0EB70ED90DB70
                                        Function 00D78E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D78A84,00000B00,?,?), ref: 00D78E0C
                                        • RtlAllocateHeap.NTDLL(00000000,?,00D78A84), ref: 00D78E13
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D78A84,00000B00,?,?), ref: 00D78E28
                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00D78A84,00000B00,?,?), ref: 00D78E30
                                        • DuplicateHandle.KERNEL32(00000000,?,00D78A84,00000B00,?,?), ref: 00D78E33
                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D78A84,00000B00,?,?), ref: 00D78E43
                                        • GetCurrentProcess.KERNEL32(00D78A84,00000000,?,00D78A84,00000B00,?,?), ref: 00D78E4B
                                        • DuplicateHandle.KERNEL32(00000000,?,00D78A84,00000B00,?,?), ref: 00D78E4E
                                        • CreateThread.KERNEL32(00000000,00000000,00D78E74,00000000,00000000,00000000), ref: 00D78E68
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                        • String ID:
                                        • API String ID: 1422014791-0
                                        • Opcode ID: 0803fdc6f9cfe9f8d44565bac8a86138613e3b359c06d311d5fea2d3a1aae570
                                        • Instruction ID: b573cbceeae3ed12a85e97dfdb5174a2fbb61ab6addbf3cdb8e2c01d242ef835
                                        • Opcode Fuzzy Hash: 0803fdc6f9cfe9f8d44565bac8a86138613e3b359c06d311d5fea2d3a1aae570
                                        • Instruction Fuzzy Hash: 8801BBB5640308FFE760ABA5DC4DF6B3BACEB89711F004461FA05DB2A1DA719800CB30
                                        Function 00D99A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D77652: CLSIDFromProgID.COMBASE ref: 00D7766F
                                          • Part of subcall function 00D77652: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00D7768A
                                          • Part of subcall function 00D77652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D7758C,80070057,?,?), ref: 00D77698
                                          • Part of subcall function 00D77652: CoTaskMemFree.COMBASE(00000000), ref: 00D776A8
                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00D99B1B
                                        • _memset.LIBCMT ref: 00D99B28
                                        • _memset.LIBCMT ref: 00D99C6B
                                        • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00D99C97
                                        • CoTaskMemFree.COMBASE(?), ref: 00D99CA2
                                        Strings
                                        • NULL Pointer assignment, xrefs: 00D99CF0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                        • String ID: NULL Pointer assignment
                                        • API String ID: 1300414916-2785691316
                                        • Opcode ID: d5565263b08ad8e9eb9a72adeba4b768ccf4abf76b2ec85af58f52eb0f2f88b4
                                        • Instruction ID: 3c38de6dab17e801e3503a683e5c607056bd9369ab0d43d77a34b14c8b7a2732
                                        • Opcode Fuzzy Hash: d5565263b08ad8e9eb9a72adeba4b768ccf4abf76b2ec85af58f52eb0f2f88b4
                                        • Instruction Fuzzy Hash: 62910871D00229ABDF20DFA5DC95ADEBBB9EF08710F20415AF519A7281DB719A44CFB0
                                        Function 00D9EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D83E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00D83EB6
                                          • Part of subcall function 00D83E91: Process32FirstW.KERNEL32(00000000,?), ref: 00D83EC4
                                          • Part of subcall function 00D83E91: CloseHandle.KERNEL32(00000000), ref: 00D83F8E
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D9ECB8
                                        • GetLastError.KERNEL32 ref: 00D9ECCB
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D9ECFA
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00D9ED77
                                        • GetLastError.KERNEL32(00000000), ref: 00D9ED82
                                        • CloseHandle.KERNEL32(00000000), ref: 00D9EDB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2533919879-2896544425
                                        • Opcode ID: 4835e53b0559d54566c67afa3a60487f41e02efcde8d40a9a0ba13bfad21e534
                                        • Instruction ID: 6ff9ea33c9fdcf866844ef16f1366e902c91d2616f008fb4875e1c9b64881e6a
                                        • Opcode Fuzzy Hash: 4835e53b0559d54566c67afa3a60487f41e02efcde8d40a9a0ba13bfad21e534
                                        • Instruction Fuzzy Hash: 764189716002109FDB24EF24C896F6EB7A1EF85714F088459F8869B3C2DB75E804CBB2
                                        Function 00D83226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000000,00007F03), ref: 00D832C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: IconLoad
                                        • String ID: blank$info$question$stop$warning
                                        • API String ID: 2457776203-404129466
                                        • Opcode ID: c63da078d43d659f01f751518c483f5d0035df5609f34df678f10d97ee7703a5
                                        • Instruction ID: 175eac66dd3ede0a79019211bf1e0a845902164b09c079d482bd2823602148d1
                                        • Opcode Fuzzy Hash: c63da078d43d659f01f751518c483f5d0035df5609f34df678f10d97ee7703a5
                                        • Instruction Fuzzy Hash: 02112731248346BFA7056B59DC42E6AB79CDF19B70F20006AF908A62C2E6A59B4147BD
                                        Function 00D84534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D8454E
                                        • LoadStringW.USER32(00000000), ref: 00D84555
                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D8456B
                                        • LoadStringW.USER32(00000000), ref: 00D84572
                                        • _wprintf.LIBCMT ref: 00D84598
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D845B6
                                        Strings
                                        • %s (%d) : ==> %s: %s %s, xrefs: 00D84593
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message_wprintf
                                        • String ID: %s (%d) : ==> %s: %s %s
                                        • API String ID: 3648134473-3128320259
                                        • Opcode ID: 553948b8c38bfe295b694eba523e2325aa3b4ee5af5fb56c401864450db1be48
                                        • Instruction ID: 4f27c23869bd19365d3d02c731bc94d159d55d7875d275d9deaaf07d245a0ef6
                                        • Opcode Fuzzy Hash: 553948b8c38bfe295b694eba523e2325aa3b4ee5af5fb56c401864450db1be48
                                        • Instruction Fuzzy Hash: 2D014FF2900308BFE750A7E49D89EEB776CD709301F0005E5BB45D2151EA749E858B74
                                        Function 00D22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D5C417,00000004,00000000,00000000,00000000), ref: 00D22ACF
                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00D5C417,00000004,00000000,00000000,00000000,000000FF), ref: 00D22B17
                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00D5C417,00000004,00000000,00000000,00000000), ref: 00D5C46A
                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D5C417,00000004,00000000,00000000,00000000), ref: 00D5C4D6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: 014ceceecd46c9ee7e418aa0df771477a812597b3b9622276d0b4ecf29781a64
                                        • Instruction ID: 5b20efc5a1dcedbe871bfa389446bfa7edb3ccb081bf9e5f44c7320d65f0d40d
                                        • Opcode Fuzzy Hash: 014ceceecd46c9ee7e418aa0df771477a812597b3b9622276d0b4ecf29781a64
                                        • Instruction Fuzzy Hash: 77410E31218790BECB354B28ECD8B7A7BD2AB76318F1C842DF49786A60C675E845D730
                                        Function 00D87368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00D8737F
                                          • Part of subcall function 00D40FF6: std::exception::exception.LIBCMT ref: 00D4102C
                                          • Part of subcall function 00D40FF6: __CxxThrowException@8.LIBCMT ref: 00D41041
                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00D873B6
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00D873D2
                                        • _memmove.LIBCMT ref: 00D87420
                                        • _memmove.LIBCMT ref: 00D8743D
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00D8744C
                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00D87461
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00D87480
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 256516436-0
                                        • Opcode ID: 36735a7c0fb863e300f965a72fb7888471212110661300714ff0244679b3cfab
                                        • Instruction ID: 52a50d96038a08b545a8700675704663aae175420334382eb5843cc23b1c756f
                                        • Opcode Fuzzy Hash: 36735a7c0fb863e300f965a72fb7888471212110661300714ff0244679b3cfab
                                        • Instruction Fuzzy Hash: 70316F75904205EBDF10EFA8DC85AAE7BB8EF45710B2441B6F904EB246DB30DA54CBB4
                                        Function 00DA6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 00DA645A
                                        • GetDC.USER32(00000000), ref: 00DA6462
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DA646D
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00DA6479
                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00DA64B5
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DA64C6
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00DA9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00DA6500
                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DA6520
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                        • String ID:
                                        • API String ID: 3864802216-0
                                        • Opcode ID: 2b0e5b0032db1f4f71e096dfacc9263d8e5088e71e882a52cfc62038899ca181
                                        • Instruction ID: b25b32f616718cc0eaefd802d2d949b4660b26b7efa30cfa5bf65596777ecf49
                                        • Opcode Fuzzy Hash: 2b0e5b0032db1f4f71e096dfacc9263d8e5088e71e882a52cfc62038899ca181
                                        • Instruction Fuzzy Hash: 99316D72601214BFEB118F50CC4AFEA3FA9EF0A761F0840A5FE08DA295D6759C41CB74
                                        Function 00D7C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: b3d51acc6cee2a59149122f578a475efe99b2d694abd55055a529c2384246772
                                        • Instruction ID: 6a4a797d668f513f4b85b31b652eb0a854fc7afd9bbfa537ffe257226a2191b2
                                        • Opcode Fuzzy Hash: b3d51acc6cee2a59149122f578a475efe99b2d694abd55055a529c2384246772
                                        • Instruction Fuzzy Hash: 4C21A166610205FFD614BA21DD42FBF279CEF203A4B489028FD0E96287FB51DE1586F5
                                        Function 00D21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b4ebff8c21d8988badb44b6c808d277625fd109150d2483f5520d9dd57ab62e
                                        • Instruction ID: c88bf4b26484f18a34f46548167a1e8e95c2668ed6f92ae305b1e899cb1fbdfa
                                        • Opcode Fuzzy Hash: 7b4ebff8c21d8988badb44b6c808d277625fd109150d2483f5520d9dd57ab62e
                                        • Instruction Fuzzy Hash: 32717A34900119EFCB049F98D849ABEBB79FFA5324F14C189F915AA251C734AA12CFB4
                                        Function 00DAB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(010A1F20), ref: 00DAB6A5
                                        • IsWindowEnabled.USER32(010A1F20), ref: 00DAB6B1
                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00DAB795
                                        • SendMessageW.USER32(010A1F20,000000B0,?,?), ref: 00DAB7CC
                                        • IsDlgButtonChecked.USER32(?,?), ref: 00DAB809
                                        • GetWindowLongW.USER32(010A1F20,000000EC), ref: 00DAB82B
                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00DAB843
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                        • String ID:
                                        • API String ID: 4072528602-0
                                        • Opcode ID: 7198d2d04e7a8ee4de4611eb75a9bc5a8a73664edfa5fbf26ec0a76e92b9614a
                                        • Instruction ID: 33067f23c5525da19e2f0fb25d4754c8cf5d2b3da3bbba8d37b70f9c867d527c
                                        • Opcode Fuzzy Hash: 7198d2d04e7a8ee4de4611eb75a9bc5a8a73664edfa5fbf26ec0a76e92b9614a
                                        • Instruction Fuzzy Hash: 30717F34600304AFDB249F64C8D4FAA7BA9FF5A360F1C445AE9459B3A2C771A952CB70
                                        Function 00D9F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D9F75C
                                        • _memset.LIBCMT ref: 00D9F825
                                        • ShellExecuteExW.SHELL32(?), ref: 00D9F86A
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                          • Part of subcall function 00D3FEC6: _wcscpy.LIBCMT ref: 00D3FEE9
                                        • GetProcessId.KERNEL32(00000000), ref: 00D9F8E1
                                        • CloseHandle.KERNEL32(00000000), ref: 00D9F910
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                        • String ID: @
                                        • API String ID: 3522835683-2766056989
                                        • Opcode ID: 8ecb3d73480f987bfaab517a41a4377be468c504ca5d453f31f6caffbe089265
                                        • Instruction ID: 07e1fbb09d2356ae9480f7e6973c2837432fba52331c343fe2e0b564e420da09
                                        • Opcode Fuzzy Hash: 8ecb3d73480f987bfaab517a41a4377be468c504ca5d453f31f6caffbe089265
                                        • Instruction Fuzzy Hash: D9618BB5A006299FCF14EFA4D4919AEBBF5FF48314F148469E846AB351CB31AD40CBB0
                                        Function 00D8145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00D8149C
                                        • GetKeyboardState.USER32(?), ref: 00D814B1
                                        • SetKeyboardState.USER32(?), ref: 00D81512
                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00D81540
                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00D8155F
                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00D815A5
                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D815C8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: bbf72af183cdce712ea910b17092d346670250f8b3ace1ce1d094ac9538c5c5e
                                        • Instruction ID: df17bf40cb4750b17c954f23e339aad5960c8c09fbafaa1799a325a36ae1f292
                                        • Opcode Fuzzy Hash: bbf72af183cdce712ea910b17092d346670250f8b3ace1ce1d094ac9538c5c5e
                                        • Instruction Fuzzy Hash: 0751E2A4A047D53EFB3663788C45BBA7FAD6B46304F0C8489E1D5868C2D294EC8ED770
                                        Function 00D81276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 00D812B5
                                        • GetKeyboardState.USER32(?), ref: 00D812CA
                                        • SetKeyboardState.USER32(?), ref: 00D8132B
                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D81357
                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D81374
                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D813B8
                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D813D9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: ffcf90e1fe2111f1d7eb1c7029aca2be75a26b0399ea5bcd7c3d596c444ecfb8
                                        • Instruction ID: 370b35b041a8f960c48461a12ba8279613bbe6201da33ece52548206b392c3e9
                                        • Opcode Fuzzy Hash: ffcf90e1fe2111f1d7eb1c7029aca2be75a26b0399ea5bcd7c3d596c444ecfb8
                                        • Instruction Fuzzy Hash: 9951E3A49047D57DFB32A7248C45BBABFADAB06300F0C8589E1D4968C2D395EC9ED770
                                        Function 00D8589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _wcsncpy$LocalTime
                                        • String ID:
                                        • API String ID: 2945705084-0
                                        • Opcode ID: 4969e34ea56289f8dd70a454c29973d104a9d2f2efd38e782443603a322ce22f
                                        • Instruction ID: 16c0b3a1ed6adddac35d838892adaa07f87492122d909a0ee525efaca3eba823
                                        • Opcode Fuzzy Hash: 4969e34ea56289f8dd70a454c29973d104a9d2f2efd38e782443603a322ce22f
                                        • Instruction Fuzzy Hash: 47418FA5C2061876CB10FBB88886ACFB3A8DF04310F508562F518E3121F734E754C7B9
                                        Function 00D838AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D838D3,?), ref: 00D848C7
                                          • Part of subcall function 00D848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D838D3,?), ref: 00D848E0
                                        • lstrcmpiW.KERNEL32(?,?), ref: 00D838F3
                                        • _wcscmp.LIBCMT ref: 00D8390F
                                        • MoveFileW.KERNEL32(?,?), ref: 00D83927
                                        • _wcscat.LIBCMT ref: 00D8396F
                                        • SHFileOperationW.SHELL32(?), ref: 00D839DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 1377345388-1173974218
                                        • Opcode ID: 468873c196bbfd58c4e25b2bf77c3e27dfbb80ee28a3e42aeb25218f5007e558
                                        • Instruction ID: 9d5ed3877fcdc3bbc4fc60338412d150e97b850e5ad1889b29d0cd4dfc1e57e4
                                        • Opcode Fuzzy Hash: 468873c196bbfd58c4e25b2bf77c3e27dfbb80ee28a3e42aeb25218f5007e558
                                        • Instruction Fuzzy Hash: C3416BB25083459AC755FF64C481AEBB7ECEF89740F44192EF48AC3161EA74D688CB72
                                        Function 00DA7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00DA7519
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DA75C0
                                        • IsMenu.USER32(?), ref: 00DA75D8
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DA7620
                                        • DrawMenuBar.USER32 ref: 00DA7633
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                        • String ID: 0
                                        • API String ID: 3866635326-4108050209
                                        • Opcode ID: 29fa1aaead7bc5be45709ef56e5276330549b446efd464939a462dbcf6ea11ee
                                        • Instruction ID: a4072440281fe107fa9b27fd1293f88b1821f10c2fe0065d936cb61f2de01cbe
                                        • Opcode Fuzzy Hash: 29fa1aaead7bc5be45709ef56e5276330549b446efd464939a462dbcf6ea11ee
                                        • Instruction Fuzzy Hash: F0414975A04608EFDB20DF54D884E9ABBF8FB0A354F088169E9559B390D734ED50CFA0
                                        Function 00DA122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00DA125C
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DA1286
                                        • FreeLibrary.KERNEL32(00000000), ref: 00DA133D
                                          • Part of subcall function 00DA122D: RegCloseKey.ADVAPI32(?), ref: 00DA12A3
                                          • Part of subcall function 00DA122D: FreeLibrary.KERNEL32(?), ref: 00DA12F5
                                          • Part of subcall function 00DA122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00DA1318
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DA12E0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                        • String ID:
                                        • API String ID: 395352322-0
                                        • Opcode ID: 4263ef0f6b6d9ca7d3795de6c3d997fb08ae08bf8070846069bec1159a26adea
                                        • Instruction ID: b62043776324cb5faaf1eabe0841c18f3e45732bf439b1d7effd2c0907f9888d
                                        • Opcode Fuzzy Hash: 4263ef0f6b6d9ca7d3795de6c3d997fb08ae08bf8070846069bec1159a26adea
                                        • Instruction Fuzzy Hash: 48311AB5901219BFDB149FD0DC89AFEB7BCEF0A300F0401A9E541E2251EB749E459AB8
                                        Function 00DA653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00DA655B
                                        • GetWindowLongW.USER32(010A1F20,000000F0), ref: 00DA658E
                                        • GetWindowLongW.USER32(010A1F20,000000F0), ref: 00DA65C3
                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00DA65F5
                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00DA661F
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00DA6630
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DA664A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: LongWindow$MessageSend
                                        • String ID:
                                        • API String ID: 2178440468-0
                                        • Opcode ID: 213acf5d9187e76db746889513be694898d31cfd4cfcd314d236b789e215b9ba
                                        • Instruction ID: 2669d8af14196b002232270c6bb5581a013065f173f54e846bbecb8cd4485f12
                                        • Opcode Fuzzy Hash: 213acf5d9187e76db746889513be694898d31cfd4cfcd314d236b789e215b9ba
                                        • Instruction Fuzzy Hash: B631DD31A44290EFDB21DF68DC89F553BE1AB5A750F1D01A8F511CB2B6CB61E8409BA1
                                        Function 00D96486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D980A0: inet_addr.WS2_32(00000000), ref: 00D980CB
                                        • socket.WS2_32(00000002,00000001,00000006), ref: 00D964D9
                                        • WSAGetLastError.WS2_32(00000000), ref: 00D964E8
                                        • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00D96521
                                        • connect.WSOCK32(00000000,?,00000010), ref: 00D9652A
                                        • WSAGetLastError.WS2_32 ref: 00D96534
                                        • closesocket.WS2_32(00000000), ref: 00D9655D
                                        • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00D96576
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                        • String ID:
                                        • API String ID: 910771015-0
                                        • Opcode ID: 6550646acc86b1ff7c9377cd414271641e0b6323fe94ae0a89d666bc59785e1e
                                        • Instruction ID: fccf4a8c4991f0705b2c106b76a2f21a2027d7a306f1b60c8593eddb823a2691
                                        • Opcode Fuzzy Hash: 6550646acc86b1ff7c9377cd414271641e0b6323fe94ae0a89d666bc59785e1e
                                        • Instruction Fuzzy Hash: 3231AD71600218ABDF10AFA4DC85BBE7BA9EF45724F048069F949E7291DB74ED04CBB1
                                        Function 00D7E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D7E0FA
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D7E120
                                        • SysAllocString.OLEAUT32(00000000), ref: 00D7E123
                                        • SysAllocString.OLEAUT32 ref: 00D7E144
                                        • SysFreeString.OLEAUT32 ref: 00D7E14D
                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 00D7E167
                                        • SysAllocString.OLEAUT32(?), ref: 00D7E175
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: be9f662f31b71bf538c6b0d8e4f02a5515fe024d3f87945aa4521d9ac48cd4da
                                        • Instruction ID: 8bb10af02dd57468f15edb8ada57a24fa4113b56ff4548d7ff5b9564e6caed77
                                        • Opcode Fuzzy Hash: be9f662f31b71bf538c6b0d8e4f02a5515fe024d3f87945aa4521d9ac48cd4da
                                        • Instruction Fuzzy Hash: 42216035604218AF9B109FA8DC89CAB77ACEB0D760B5481A5FD59CB2A0EA70DC418B74
                                        Function 00DA783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D21D73
                                          • Part of subcall function 00D21D35: GetStockObject.GDI32(00000011), ref: 00D21D87
                                          • Part of subcall function 00D21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D21D91
                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DA78A1
                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DA78AE
                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DA78B9
                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DA78C8
                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DA78D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$CreateObjectStockWindow
                                        • String ID: Msctls_Progress32
                                        • API String ID: 1025951953-3636473452
                                        • Opcode ID: 669a00ae9cfedcd52e9d338440405c1b6bdda95afc2bab20df41d134aeb9b3b2
                                        • Instruction ID: 507056dfda9ed6138f282323f4f70a5b59a655d11b00c885d7ce2c78a96367a3
                                        • Opcode Fuzzy Hash: 669a00ae9cfedcd52e9d338440405c1b6bdda95afc2bab20df41d134aeb9b3b2
                                        • Instruction Fuzzy Hash: D61190B2110219BFEF159F60CC85EE77F6DEF097A8F014115BA04A6190C7729C21DBB0
                                        Function 00D441C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00D441E3
                                        • GetProcAddress.KERNEL32(00000000), ref: 00D441EA
                                        • RtlEncodePointer.NTDLL(00000000), ref: 00D441F6
                                        • RtlDecodePointer.NTDLL(00000001), ref: 00D44213
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                        • String ID: RoInitialize$combase.dll
                                        • API String ID: 3489934621-340411864
                                        • Opcode ID: 7f625168f8dda4131a5ee11f1e3a3e8914ce8eb72c66f74d5409e918f4ac3e87
                                        • Instruction ID: 332ce06593e335e55bc7a89019078db1c7ac2079a3f104868f045bfc0f56593d
                                        • Opcode Fuzzy Hash: 7f625168f8dda4131a5ee11f1e3a3e8914ce8eb72c66f74d5409e918f4ac3e87
                                        • Instruction Fuzzy Hash: 41E01AB1A90340AFEF207BB1EC89B543AA4BB62703F504864F552D92A0DBB540D59F34
                                        Function 00D4429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00D441B8), ref: 00D442B8
                                        • GetProcAddress.KERNEL32(00000000), ref: 00D442BF
                                        • RtlEncodePointer.NTDLL(00000000), ref: 00D442CA
                                        • RtlDecodePointer.NTDLL(00D441B8), ref: 00D442E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                        • String ID: RoUninitialize$combase.dll
                                        • API String ID: 3489934621-2819208100
                                        • Opcode ID: da64ad9d5b8081a97fa8a3f3b8fe1279e63052f2b319d308db93d255e1c348e0
                                        • Instruction ID: 49e24c1f5c36300c9f025d3b0d23dd8293ae63081911c98ab5ac17e09ba4954d
                                        • Opcode Fuzzy Hash: da64ad9d5b8081a97fa8a3f3b8fe1279e63052f2b319d308db93d255e1c348e0
                                        • Instruction Fuzzy Hash: 40E0B679681340EFEF10ABA1EC8DB5A3AA4B725742F144468F041E92A0DBB44584DA38
                                        Function 00D96E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __WSAFDIsSet.WS2_32(00000000,?), ref: 00D96F14
                                        • WSAGetLastError.WS2_32(00000000), ref: 00D96F48
                                        • htons.WS2_32(?), ref: 00D96FFE
                                        • inet_ntoa.WS2_32(?), ref: 00D96FBB
                                          • Part of subcall function 00D7AE14: _strlen.LIBCMT ref: 00D7AE1E
                                          • Part of subcall function 00D7AE14: _memmove.LIBCMT ref: 00D7AE40
                                        • _strlen.LIBCMT ref: 00D97058
                                        • _memmove.LIBCMT ref: 00D970C1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                        • String ID:
                                        • API String ID: 3619996494-0
                                        • Opcode ID: 9282545d82dfc66ef78ad721e7be349bf700a4d6c8342e7048d9591502fa9b00
                                        • Instruction ID: bc1ea3a3dca12f0452a8184ba0845481f55bd43be96dd62f144bca4dcb767583
                                        • Opcode Fuzzy Hash: 9282545d82dfc66ef78ad721e7be349bf700a4d6c8342e7048d9591502fa9b00
                                        • Instruction Fuzzy Hash: 9F81F171508310ABDB10EF24DC92E6BB3E9EF94718F14891CF5599B292DA71ED04CBB2
                                        Function 00D8675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove$__itow__swprintf
                                        • String ID:
                                        • API String ID: 3253778849-0
                                        • Opcode ID: 040ed3faa825fe65c3412c21568763521d903e3cfb72be60eb4e581b301f4f82
                                        • Instruction ID: a87c1322df31ae575373350daa4bc906dfd4cc52c6e79d8b56647376f589d2d0
                                        • Opcode Fuzzy Hash: 040ed3faa825fe65c3412c21568763521d903e3cfb72be60eb4e581b301f4f82
                                        • Instruction Fuzzy Hash: 80619A3050466AABDF11FF20DC92EFE77A4EF14718F044559F8995B292DA30E945CBB0
                                        Function 00DA046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00DA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA0038,?,?), ref: 00DA10BC
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA0548
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DA0588
                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00DA05AB
                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DA05D4
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DA0617
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00DA0624
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                        • String ID:
                                        • API String ID: 4046560759-0
                                        • Opcode ID: 04e1939b73cd8023855ad1c3626053090e6970744a6d65d859adc12cb6f7a30c
                                        • Instruction ID: a85f1e6fc3c372f82a08b737848a752cbab0378ac4c43b08cd66a7e5d67dc404
                                        • Opcode Fuzzy Hash: 04e1939b73cd8023855ad1c3626053090e6970744a6d65d859adc12cb6f7a30c
                                        • Instruction Fuzzy Hash: BA513831508200AFCB14EF64D885E6BBBE8FF8A318F08495DF585972A1DB31E904CB72
                                        Function 00DA5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenu.USER32(?), ref: 00DA5A82
                                        • GetMenuItemCount.USER32(00000000), ref: 00DA5AB9
                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DA5AE1
                                        • GetMenuItemID.USER32(?,?), ref: 00DA5B50
                                        • GetSubMenu.USER32(?,?), ref: 00DA5B5E
                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00DA5BAF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountMessagePostString
                                        • String ID:
                                        • API String ID: 650687236-0
                                        • Opcode ID: 88fcef0981f8310e3988d7357636778365080acbd2baaaa87a6843bdac01a6cb
                                        • Instruction ID: 6443fc6b3d62be3c8c2bec0ae75f744a38bf3cdead17b6b757d192e79a1418ab
                                        • Opcode Fuzzy Hash: 88fcef0981f8310e3988d7357636778365080acbd2baaaa87a6843bdac01a6cb
                                        • Instruction Fuzzy Hash: 5C516D35A00625EFCB11EFA4D845AAEB7B4EF49320F1444A9F846B7351CB70AE418BB0
                                        Function 00D7F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00D7F3F7
                                        • VariantClear.OLEAUT32(00000013), ref: 00D7F469
                                        • VariantClear.OLEAUT32(00000000), ref: 00D7F4C4
                                        • _memmove.LIBCMT ref: 00D7F4EE
                                        • VariantClear.OLEAUT32(?), ref: 00D7F53B
                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D7F569
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                        • String ID:
                                        • API String ID: 1101466143-0
                                        • Opcode ID: 42b75745756871426a306800fbdb7476b865e952d6c7ec92344f1c13ba9dee09
                                        • Instruction ID: c01c38fecf415f020ff6736363a21a85ba854c9730f0bb8317c70ee75f439138
                                        • Opcode Fuzzy Hash: 42b75745756871426a306800fbdb7476b865e952d6c7ec92344f1c13ba9dee09
                                        • Instruction Fuzzy Hash: DF5148B5A00209EFCB24CF58D884AAAB7F8FF4D354B158569E959DB310E730E951CBA0
                                        Function 00D826F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D82747
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D82792
                                        • IsMenu.USER32(00000000), ref: 00D827B2
                                        • CreatePopupMenu.USER32 ref: 00D827E6
                                        • GetMenuItemCount.USER32(000000FF), ref: 00D82844
                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00D82875
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                        • String ID:
                                        • API String ID: 3311875123-0
                                        • Opcode ID: 8339427485c217eb507c9854a3cd8a2bfa8417e9e61de3e39503ac247a843d82
                                        • Instruction ID: 4cf5806b5248fbe5b2b5aa74d90906b3d2a87dad05ab9a4b7a48f1f3265cb8e8
                                        • Opcode Fuzzy Hash: 8339427485c217eb507c9854a3cd8a2bfa8417e9e61de3e39503ac247a843d82
                                        • Instruction Fuzzy Hash: 6F519E70A0030AEFDF24EFA9D888ABEBBF5EF45314F184169E8519B291D7709944CB71
                                        Function 00D21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 00D2179A
                                        • GetWindowRect.USER32(?,?), ref: 00D217FE
                                        • ScreenToClient.USER32(?,?), ref: 00D2181B
                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D2182C
                                        • EndPaint.USER32(?,?), ref: 00D21876
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                        • String ID:
                                        • API String ID: 1827037458-0
                                        • Opcode ID: 4b06a938dc532fcfb8ebca299ad06493611ee54d9f32427a55529555a9740be1
                                        • Instruction ID: ebedeebb120bb1f88d39c3e1ddc4b53250a3212191ed005ea4aaa21750b0628e
                                        • Opcode Fuzzy Hash: 4b06a938dc532fcfb8ebca299ad06493611ee54d9f32427a55529555a9740be1
                                        • Instruction Fuzzy Hash: 7641BD34100350AFC710EF24D8C4BBA7BE8EB6A728F184669F994CB2A1C770D805DB72
                                        Function 00DAB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(00DE67B0,00000000,010A1F20,?,?,00DE67B0,?,00DAB862,?,?), ref: 00DAB9CC
                                        • EnableWindow.USER32(00000000,00000000), ref: 00DAB9F0
                                        • ShowWindow.USER32(00DE67B0,00000000,010A1F20,?,?,00DE67B0,?,00DAB862,?,?), ref: 00DABA50
                                        • ShowWindow.USER32(00000000,00000004,?,00DAB862,?,?), ref: 00DABA62
                                        • EnableWindow.USER32(00000000,00000001), ref: 00DABA86
                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00DABAA9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$Show$Enable$MessageSend
                                        • String ID:
                                        • API String ID: 642888154-0
                                        • Opcode ID: 0e988441b8546908ca17b294df61313e41cfcf5122e5246b4dd30f3084e49c95
                                        • Instruction ID: 9bea112141d0ef9dc950c0c9990cdbd93e2476ed48514e8a3d52e87d4db79179
                                        • Opcode Fuzzy Hash: 0e988441b8546908ca17b294df61313e41cfcf5122e5246b4dd30f3084e49c95
                                        • Instruction Fuzzy Hash: C4414F31601641AFDB21CF64C489B957FE0FB06320F1C42BAEA488F6A3C771A846CF61
                                        Function 00D973B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00D95134,?,?,00000000,00000001), ref: 00D973BF
                                          • Part of subcall function 00D93C94: GetWindowRect.USER32(?,?), ref: 00D93CA7
                                        • GetDesktopWindow.USER32 ref: 00D973E9
                                        • GetWindowRect.USER32(00000000), ref: 00D973F0
                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00D97422
                                          • Part of subcall function 00D854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D8555E
                                        • GetCursorPos.USER32(?), ref: 00D9744E
                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D974AC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                        • String ID:
                                        • API String ID: 4137160315-0
                                        • Opcode ID: 02f26998dfe5962d181f71e6c57dbed3e744126b78b3c247bb2561fe2f5b96a9
                                        • Instruction ID: 4cd33e1dfaa684bcb729bfedb0e8e1fcc8d23f1bce7766c2f0b34866c44e663e
                                        • Opcode Fuzzy Hash: 02f26998dfe5962d181f71e6c57dbed3e744126b78b3c247bb2561fe2f5b96a9
                                        • Instruction Fuzzy Hash: 3831C472508305ABDB24DF54D849F9BBBE9FF89314F040929F589D7192D730E908CBA2
                                        Function 00D8ED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                          • Part of subcall function 00D3FEC6: _wcscpy.LIBCMT ref: 00D3FEE9
                                        • _wcstok.LIBCMT ref: 00D8EEFF
                                        • _wcscpy.LIBCMT ref: 00D8EF8E
                                        • _memset.LIBCMT ref: 00D8EFC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                        • String ID: X
                                        • API String ID: 774024439-3081909835
                                        • Opcode ID: 6df3dffc6cbd8a40726d777f6fee67b376e79231e85fae34c7e915a4668a0a51
                                        • Instruction ID: 00cc41fd6ed2dac7965254a8ec892392d91e02f24d7190a8280e9d235a858422
                                        • Opcode Fuzzy Hash: 6df3dffc6cbd8a40726d777f6fee67b376e79231e85fae34c7e915a4668a0a51
                                        • Instruction Fuzzy Hash: 18C18B716083109FC724EF24D895A6AB7E4FF94314F04496DF8999B2A2DB30ED45CBB2
                                        Function 00D78D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D785F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D78608
                                          • Part of subcall function 00D785F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D78612
                                          • Part of subcall function 00D785F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D78621
                                          • Part of subcall function 00D785F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00D78628
                                          • Part of subcall function 00D785F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D7863E
                                        • GetLengthSid.ADVAPI32(?,00000000,00D78977), ref: 00D78DAC
                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D78DB8
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00D78DBF
                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00D78DD8
                                        • GetProcessHeap.KERNEL32(00000000,00000000,00D78977), ref: 00D78DEC
                                        • HeapFree.KERNEL32(00000000), ref: 00D78DF3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                        • String ID:
                                        • API String ID: 169236558-0
                                        • Opcode ID: 6cb12e164d1210f0124f763cca24698613d34b589844b310bec23359af178b41
                                        • Instruction ID: bb0c80bc614588b0579191fed2248de672873974044f63fb0c192f5909dec602
                                        • Opcode Fuzzy Hash: 6cb12e164d1210f0124f763cca24698613d34b589844b310bec23359af178b41
                                        • Instruction Fuzzy Hash: F911AC31640705FFDB209FA4CC0DBAE7BA9EF56315F148069E889D7250EB369900EB70
                                        Function 00DAC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D2134D
                                          • Part of subcall function 00D212F3: SelectObject.GDI32(?,00000000), ref: 00D2135C
                                          • Part of subcall function 00D212F3: BeginPath.GDI32(?), ref: 00D21373
                                          • Part of subcall function 00D212F3: SelectObject.GDI32(?,00000000), ref: 00D2139C
                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00DAC1C4
                                        • LineTo.GDI32(00000000,00000003,?), ref: 00DAC1D8
                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DAC1E6
                                        • LineTo.GDI32(00000000,00000000,?), ref: 00DAC1F6
                                        • EndPath.GDI32(00000000), ref: 00DAC206
                                        • StrokePath.GDI32(00000000), ref: 00DAC216
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                        • String ID:
                                        • API String ID: 43455801-0
                                        • Opcode ID: e098cf0bbc8c70e4d334aa92d20e4494079ebe1f5d255cb6cb9329d76e953930
                                        • Instruction ID: 56edcd2a6b635c3a576d75fa2c86a4fba855c3a4c5ad6bc52cdcc88bfdd5a9df
                                        • Opcode Fuzzy Hash: e098cf0bbc8c70e4d334aa92d20e4494079ebe1f5d255cb6cb9329d76e953930
                                        • Instruction Fuzzy Hash: 8911097640024CBFDB119F94DC88FAA7FADEB093A4F048061BA198A2A1C7719D55DBB0
                                        Function 00D403A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D403D3
                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00D403DB
                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D403E6
                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D403F1
                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00D403F9
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D40401
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Virtual
                                        • String ID:
                                        • API String ID: 4278518827-0
                                        • Opcode ID: 0ae152cf117d9384b28e2a32d20b28472f1807a10a0a6998a49ac117d7444470
                                        • Instruction ID: 0f3a2c67717ba622afdb966ac4901a5276f8ebb658f914ddcaf3da0f488d2df5
                                        • Opcode Fuzzy Hash: 0ae152cf117d9384b28e2a32d20b28472f1807a10a0a6998a49ac117d7444470
                                        • Instruction Fuzzy Hash: 18016CB09017597DE3008F5A8C85B52FFA8FF19354F04415BA15C87A41C7F5A864CBE5
                                        Function 00D8568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D8569B
                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D856B1
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00D856C0
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D856CF
                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D856D9
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D856E0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                        • String ID:
                                        • API String ID: 839392675-0
                                        • Opcode ID: 0a41655990aebf6c005fbe5f64c5b8dd3cf2e304ddac4c4a97693f93f5ce288a
                                        • Instruction ID: af2951f4b2a52c8176b8ee011cc73c1cdb076273ed85b7a1ce863fe001ee267c
                                        • Opcode Fuzzy Hash: 0a41655990aebf6c005fbe5f64c5b8dd3cf2e304ddac4c4a97693f93f5ce288a
                                        • Instruction Fuzzy Hash: 59F01D32241258BBE7215BE2EC0EEAB7A7CEBC7B11F0401A9FA04D1150D7A15A0186B5
                                        Function 00D874D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,?), ref: 00D874E5
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00D874F6
                                        • TerminateThread.KERNEL32(00000000,000001F6,?,00D31044,?,?), ref: 00D87503
                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D31044,?,?), ref: 00D87510
                                          • Part of subcall function 00D86ED7: CloseHandle.KERNEL32(00000000,?,00D8751D,?,00D31044,?,?), ref: 00D86EE1
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00D87523
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00D8752A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 3495660284-0
                                        • Opcode ID: 59554e7f3ff162caa3222777951a1ba3685df9844a17450b61fd9f408489d28f
                                        • Instruction ID: c34cf37ea45f089f14bccf060479053c54859c2704a0abdb82a2ee76708c8569
                                        • Opcode Fuzzy Hash: 59554e7f3ff162caa3222777951a1ba3685df9844a17450b61fd9f408489d28f
                                        • Instruction Fuzzy Hash: A9F05E3A140712EBDB622BA4FC8CAEB772AEF46712B1405B1F242D11B0DB755801CB74
                                        Function 00D98902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00D98928
                                        • CharUpperBuffW.USER32(?,?), ref: 00D98A37
                                        • VariantClear.OLEAUT32(?), ref: 00D98BAF
                                          • Part of subcall function 00D87804: VariantInit.OLEAUT32(00000000), ref: 00D87844
                                          • Part of subcall function 00D87804: VariantCopy.OLEAUT32(00000000,?), ref: 00D8784D
                                          • Part of subcall function 00D87804: VariantClear.OLEAUT32(00000000), ref: 00D87859
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                        • API String ID: 4237274167-1221869570
                                        • Opcode ID: e80450158a16fec130a8c0749c4b72029de4bf8a1704d118451f871904e54fea
                                        • Instruction ID: adc660399f69de75ebc9b90267765393a7575eacf885fd005468b82550d883af
                                        • Opcode Fuzzy Hash: e80450158a16fec130a8c0749c4b72029de4bf8a1704d118451f871904e54fea
                                        • Instruction Fuzzy Hash: 679170716083019FCB10DF28C48595BBBE4EF99714F18896EF89A8B361DB31E945CB72
                                        Function 00D82F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D3FEC6: _wcscpy.LIBCMT ref: 00D3FEE9
                                        • _memset.LIBCMT ref: 00D83077
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D830A6
                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D83159
                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D83187
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                        • String ID: 0
                                        • API String ID: 4152858687-4108050209
                                        • Opcode ID: d7636c25a600e532e451e8758c2f09228effe031b3636a532867e2180c5b8a83
                                        • Instruction ID: eb5224921179e27713ae89cc1420bdb91765fa0ff4d3747c0ed45fc2cb5bd8e3
                                        • Opcode Fuzzy Hash: d7636c25a600e532e451e8758c2f09228effe031b3636a532867e2180c5b8a83
                                        • Instruction Fuzzy Hash: 2A519F316083409BD725BF28D849A6BB7E8EF55F60F080A2DF899D62D1DB70CE448772
                                        Function 00D7DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00D7DAC5
                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D7DAFB
                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D7DB0C
                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D7DB8E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                        • String ID: DllGetClassObject
                                        • API String ID: 753597075-1075368562
                                        • Opcode ID: 2159896ded673a01d1db56ce1c66b07d41968828dae9efa025de70bdaac41b56
                                        • Instruction ID: d80aab01e2647e5ddaea3e46740683416d1ccfa41931bcdc3f3d5b4859dbe1cc
                                        • Opcode Fuzzy Hash: 2159896ded673a01d1db56ce1c66b07d41968828dae9efa025de70bdaac41b56
                                        • Instruction Fuzzy Hash: 714151B1600304DFDB15CF54C884A9A7BBAEF48350F19C1AAAD09DF205E7B1D944CBB0
                                        Function 00D82C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D82CAF
                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D82CCB
                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00D82D11
                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00DE6890,00000000), ref: 00D82D5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Menu$Delete$InfoItem_memset
                                        • String ID: 0
                                        • API String ID: 1173514356-4108050209
                                        • Opcode ID: 118eb22b6463321a013dc8ec84952acafd942a903f793c319ec66785053553df
                                        • Instruction ID: 7260da865569521caa9f6c56b1ffe3c873b5637949c46fc8c7a39915f295ebcf
                                        • Opcode Fuzzy Hash: 118eb22b6463321a013dc8ec84952acafd942a903f793c319ec66785053553df
                                        • Instruction Fuzzy Hash: E14180302053029FD720EF25D845B6ABBE8FF85320F184A5DF9A5972A1D770E905CBB2
                                        Function 00D9DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D9DAD9
                                          • Part of subcall function 00D279AB: _memmove.LIBCMT ref: 00D279F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharLower_memmove
                                        • String ID: cdecl$none$stdcall$winapi
                                        • API String ID: 3425801089-567219261
                                        • Opcode ID: 276d9204cf7ad891a786f9859183e8eaaeb73bc4e3e89f7a8fc92bda4c876cb0
                                        • Instruction ID: 2356d0bd5778879101aafb7d4aa2a49b1f1133fb340ad24a2853235dcb404a58
                                        • Opcode Fuzzy Hash: 276d9204cf7ad891a786f9859183e8eaaeb73bc4e3e89f7a8fc92bda4c876cb0
                                        • Instruction Fuzzy Hash: 7931A17190021AAFCF10EF94C8819AEB7B5FF15318B10866AE865A7795DB31A905CBB0
                                        Function 00D79372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00D7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D7B0E7
                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D793F6
                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D79409
                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00D79439
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$_memmove$ClassName
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 365058703-1403004172
                                        • Opcode ID: 9ac97a00e7898ab0d52b15b97a4239ff99cd60c9e30146aab2dc571110bd4052
                                        • Instruction ID: dd0e97c40d878ce2e876c6357965afbf8dbbc6c7acb5c5cc1ab5a231b1cfb430
                                        • Opcode Fuzzy Hash: 9ac97a00e7898ab0d52b15b97a4239ff99cd60c9e30146aab2dc571110bd4052
                                        • Instruction Fuzzy Hash: A121F672904104BFDB14ABB0EC96DFFB778DF05364B18852AF929972E1EB35490A9630
                                        Function 00DA6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D21D73
                                          • Part of subcall function 00D21D35: GetStockObject.GDI32(00000011), ref: 00D21D87
                                          • Part of subcall function 00D21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D21D91
                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DA66D0
                                        • LoadLibraryW.KERNEL32(?), ref: 00DA66D7
                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DA66EC
                                        • DestroyWindow.USER32(?), ref: 00DA66F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                        • String ID: SysAnimate32
                                        • API String ID: 4146253029-1011021900
                                        • Opcode ID: 8781e54e64cc6245b247079ae4709868b332af5061364e4ebffc3cfae42cee9d
                                        • Instruction ID: f21ce6c7993903105d2179460b19afe15c1cd177b03d73f2b64e8a726bd8bd98
                                        • Opcode Fuzzy Hash: 8781e54e64cc6245b247079ae4709868b332af5061364e4ebffc3cfae42cee9d
                                        • Instruction Fuzzy Hash: 8A218B71200206EBEF104FA4EC80EAB77ADEB6A368F1C4669FA50D21A0DB71CC519770
                                        Function 00D8703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(0000000C), ref: 00D8705E
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D87091
                                        • GetStdHandle.KERNEL32(0000000C), ref: 00D870A3
                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00D870DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CreateHandle$FilePipe
                                        • String ID: nul
                                        • API String ID: 4209266947-2873401336
                                        • Opcode ID: 6bd1cbbcab7cdb36c9951390a70809c940bc9b2a22850ccaf50f4cd4da89d7b6
                                        • Instruction ID: 892d1add7884068894136759f643e46700f301cabbb4f2048a4d11add5f963b2
                                        • Opcode Fuzzy Hash: 6bd1cbbcab7cdb36c9951390a70809c940bc9b2a22850ccaf50f4cd4da89d7b6
                                        • Instruction Fuzzy Hash: 37217A75604309ABDB20AF68D805A9A77F8BF95760F348A29F9A0D72D0E771D840CB70
                                        Function 00D8710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 00D8712B
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D8715D
                                        • GetStdHandle.KERNEL32(000000F6), ref: 00D8716E
                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00D871A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CreateHandle$FilePipe
                                        • String ID: nul
                                        • API String ID: 4209266947-2873401336
                                        • Opcode ID: bb05dba1c6cd3240bedf9589ca50fb7f5045d1a3beae867317c7c1133bf6a3f6
                                        • Instruction ID: 7df58da2a6ca7911998b52226dc6d37d0dce806a6bf4de4594341ceb276d7234
                                        • Opcode Fuzzy Hash: bb05dba1c6cd3240bedf9589ca50fb7f5045d1a3beae867317c7c1133bf6a3f6
                                        • Instruction Fuzzy Hash: 5E216D75608305ABDB20AF689C08AAAB7E8AF55B34F340A19F9E1D72D0D770D841CB75
                                        Function 00D8AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00D8AEBF
                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D8AF13
                                        • __swprintf.LIBCMT ref: 00D8AF2C
                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,00DAF910), ref: 00D8AF6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorMode$InformationVolume__swprintf
                                        • String ID: %lu
                                        • API String ID: 3164766367-685833217
                                        • Opcode ID: 6fde631133341351d4a053b316b2704bdfdc6f88a3f3cc6ff5558fe865df22f6
                                        • Instruction ID: 5e985c4bfa9e00a3bd0ee9d2f1b34034bcf8650eb3dc2a3f2319b6f10fb92e25
                                        • Opcode Fuzzy Hash: 6fde631133341351d4a053b316b2704bdfdc6f88a3f3cc6ff5558fe865df22f6
                                        • Instruction Fuzzy Hash: 53215635A00209AFDB10EFA4DD85EAEB7B8EF49714B1040A9F909DB351DB31EA45CB71
                                        Function 00D7A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                          • Part of subcall function 00D7A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D7A399
                                          • Part of subcall function 00D7A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D7A3AC
                                          • Part of subcall function 00D7A37C: GetCurrentThreadId.KERNEL32 ref: 00D7A3B3
                                          • Part of subcall function 00D7A37C: AttachThreadInput.USER32(00000000), ref: 00D7A3BA
                                        • GetFocus.USER32 ref: 00D7A554
                                          • Part of subcall function 00D7A3C5: GetParent.USER32(?), ref: 00D7A3D3
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00D7A59D
                                        • EnumChildWindows.USER32(?,00D7A615), ref: 00D7A5C5
                                        • __swprintf.LIBCMT ref: 00D7A5DF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                        • String ID: %s%d
                                        • API String ID: 1941087503-1110647743
                                        • Opcode ID: 38691dfe651361855efef038e4445f08561dc86303c846bf107caad3ecff2b37
                                        • Instruction ID: 51d7c6b3cb824f2fde6976e6de90f0234b4e2eaf3b12447f6bac1d65ada5bffb
                                        • Opcode Fuzzy Hash: 38691dfe651361855efef038e4445f08561dc86303c846bf107caad3ecff2b37
                                        • Instruction Fuzzy Hash: 72118471600219BBDF117FA8DC85FEE7778DF89710F0480B5B90CAA192EA7059458B75
                                        Function 00D82017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00D82048
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                        • API String ID: 3964851224-769500911
                                        • Opcode ID: b6ee036501903496d414779a6d77eba1a123e1c4fd27b3367227b92a0e8ce784
                                        • Instruction ID: 4d707209e4c1993b1e4190c60ffb9e63b2e9f73ec96f85e284fcc7dbca915371
                                        • Opcode Fuzzy Hash: b6ee036501903496d414779a6d77eba1a123e1c4fd27b3367227b92a0e8ce784
                                        • Instruction Fuzzy Hash: 56110930D1021A9FCF10EFA4D9518BEB7B4FF16304F5484A9D855A7352EB32690ACB70
                                        Function 00D9EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D9EF1B
                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D9EF4B
                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00D9F07E
                                        • CloseHandle.KERNEL32(?), ref: 00D9F0FF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                        • String ID:
                                        • API String ID: 2364364464-0
                                        • Opcode ID: 0f7ee5703ef2ca5d840773db93222cd19e97a5f42feff1ed972254cdd89c053b
                                        • Instruction ID: 3cfd18937e470d5c6356dbe70b7d086615134dcf0828e7c73c976bb2cb827282
                                        • Opcode Fuzzy Hash: 0f7ee5703ef2ca5d840773db93222cd19e97a5f42feff1ed972254cdd89c053b
                                        • Instruction Fuzzy Hash: 128171B16043109FDB20EF28D856B2AB7E5EF58724F04885DF599DB392DB71AC408BB1
                                        Function 00DA02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00DA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA0038,?,?), ref: 00DA10BC
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA0388
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DA03C7
                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DA040E
                                        • RegCloseKey.ADVAPI32(?,?), ref: 00DA043A
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00DA0447
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                        • String ID:
                                        • API String ID: 3440857362-0
                                        • Opcode ID: c91ac8b7feea85c67eb83a8fd13c665ec35a3c16a2239dc9bfc6b30e70072075
                                        • Instruction ID: ee2fa895eeb858093bd5fe9346e1aef54341cf9c0f0048da73af2f66e0d6e8b0
                                        • Opcode Fuzzy Hash: c91ac8b7feea85c67eb83a8fd13c665ec35a3c16a2239dc9bfc6b30e70072075
                                        • Instruction Fuzzy Hash: 13513B31208204AFDB14EF64D891F6EBBE8FF89308F04896DB59597291DB71E904CB72
                                        Function 00D9DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                        • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D9DC3B
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00D9DCBE
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00D9DCDA
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00D9DD1B
                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D9DD35
                                          • Part of subcall function 00D25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D87B20,?,?,00000000), ref: 00D25B8C
                                          • Part of subcall function 00D25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D87B20,?,?,00000000,?,?), ref: 00D25BB0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                        • String ID:
                                        • API String ID: 327935632-0
                                        • Opcode ID: edaa431764284da2128757c4971f155e24e0a17d960bb81b6feb3a1f84c3552f
                                        • Instruction ID: a0b7ad00b7c77e224732b3f09ae4c4b6641a91c908319077b7bc6855fc4772ea
                                        • Opcode Fuzzy Hash: edaa431764284da2128757c4971f155e24e0a17d960bb81b6feb3a1f84c3552f
                                        • Instruction Fuzzy Hash: 2B513635A00215DFDB00EFA8D494DADB7F5FF59324B1880A9E819AB361DB30ED45CBA0
                                        Function 00D8E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D8E88A
                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00D8E8B3
                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D8E8F2
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D8E917
                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D8E91F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                        • String ID:
                                        • API String ID: 1389676194-0
                                        • Opcode ID: d1c8160206645075a1bb3c4d3eff5a78e13ae547b1ba0b1b59de43465295b3ee
                                        • Instruction ID: 91e0c521deae1dbaaf8488ee4f56415af6f2fbb80aca15ea92cc5f0f191e34ed
                                        • Opcode Fuzzy Hash: d1c8160206645075a1bb3c4d3eff5a78e13ae547b1ba0b1b59de43465295b3ee
                                        • Instruction Fuzzy Hash: F8512A35A00215DFCB00EF64D991AADBBF5EF09314B148099E849AB361CB31ED41CF70
                                        Function 00DAA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c16bf6f00787e88494e030a4ea0bcb52c367ff21947a62d1f284747cfa2ad29
                                        • Instruction ID: 9452c63f9cd0938603e174def7c1cc25099a20a09c6662a699160498af2cdd49
                                        • Opcode Fuzzy Hash: 3c16bf6f00787e88494e030a4ea0bcb52c367ff21947a62d1f284747cfa2ad29
                                        • Instruction Fuzzy Hash: A341B235900214AFDB20DFACCC88BB9BBA5EB0A310F194265F956E72E1D770ED41DA71
                                        Function 00D22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00D22357
                                        • ScreenToClient.USER32(00DE67B0,?), ref: 00D22374
                                        • GetAsyncKeyState.USER32(00000001), ref: 00D22399
                                        • GetAsyncKeyState.USER32(00000002), ref: 00D223A7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorScreen
                                        • String ID:
                                        • API String ID: 4210589936-0
                                        • Opcode ID: 6991dd606a047587dd71e0b711b9e80e63b3b00bde543015aae094329004eff6
                                        • Instruction ID: 815250086b177e26a7a1c2024dee9fcf0f517cdd3303e36e9b6e2ec65f7d974b
                                        • Opcode Fuzzy Hash: 6991dd606a047587dd71e0b711b9e80e63b3b00bde543015aae094329004eff6
                                        • Instruction Fuzzy Hash: 5A419E31504229FFCF15CFA8D844AEDBBB4FB06324F24435AF86896290C7359994DBB1
                                        Function 00D76920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D7695D
                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00D769A9
                                        • TranslateMessage.USER32(?), ref: 00D769D2
                                        • DispatchMessageW.USER32(?), ref: 00D769DC
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D769EB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                                        • String ID:
                                        • API String ID: 2108273632-0
                                        • Opcode ID: 678ec21e73493ec34933fc2ec5c4f34ed2a404f8895ea513befbbdb75c6da88f
                                        • Instruction ID: 99a9f06fff8d443f2b1b542f72ea2af02034957df55d06c11025ff939c3b7a84
                                        • Opcode Fuzzy Hash: 678ec21e73493ec34933fc2ec5c4f34ed2a404f8895ea513befbbdb75c6da88f
                                        • Instruction Fuzzy Hash: 9A31D831900B46AADB20DF74DC84FB67BACEB12354F188169E529D62A1F734D845DB70
                                        Function 00D78F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00D78F12
                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00D78FBC
                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D78FC4
                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00D78FD2
                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D78FDA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessagePostSleep$RectWindow
                                        • String ID:
                                        • API String ID: 3382505437-0
                                        • Opcode ID: ec72a6dd287d6c6001db8bb8c97ebbe3d5ecc136c4b72912c08d1209f1b5395d
                                        • Instruction ID: f3acce80600dcc0c0538b1dc1b8bf50aaf68d4d45c5deee9e73ad258a6637e1a
                                        • Opcode Fuzzy Hash: ec72a6dd287d6c6001db8bb8c97ebbe3d5ecc136c4b72912c08d1209f1b5395d
                                        • Instruction Fuzzy Hash: A331E071500219EFDB10CFA8D94CA9EBBB6EF05315F148269F968E72D0D7B0D910EBA0
                                        Function 00D7B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00D7B6C7
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D7B6E4
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D7B71C
                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D7B742
                                        • _wcsstr.LIBCMT ref: 00D7B74C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                        • String ID:
                                        • API String ID: 3902887630-0
                                        • Opcode ID: b28c6cc13b3832a3e399583ab17dd42a9162996ad872ec893849a01139a71d31
                                        • Instruction ID: d50ebb4f96f538c4aae8c2674fae6860558226872083f78ce4cdcd67672da45f
                                        • Opcode Fuzzy Hash: b28c6cc13b3832a3e399583ab17dd42a9162996ad872ec893849a01139a71d31
                                        • Instruction Fuzzy Hash: 6221A731604344BBEB295B799C49F7B7B98DF49760F18807AF909CA2A1FB61DC4096B0
                                        Function 00DAB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D22612: GetWindowLongW.USER32(?,000000EB), ref: 00D22623
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00DAB44C
                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00DAB471
                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DAB489
                                        • GetSystemMetrics.USER32(00000004), ref: 00DAB4B2
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00D91184,00000000), ref: 00DAB4D0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$Long$MetricsSystem
                                        • String ID:
                                        • API String ID: 2294984445-0
                                        • Opcode ID: 41b067dbb377947e608c32e82211439eb33c1c3fe31b414bfe92007e5a79fd1b
                                        • Instruction ID: 7618b1d8939d993955e6fcbbe6e7c0868f3aae67677fbb136938de977e7fd9ca
                                        • Opcode Fuzzy Hash: 41b067dbb377947e608c32e82211439eb33c1c3fe31b414bfe92007e5a79fd1b
                                        • Instruction Fuzzy Hash: 10219431910265AFCB109F78CC44A6537A4FB0A738F144735F965C62E2E770D811DB60
                                        Function 00D797E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D79802
                                          • Part of subcall function 00D27D2C: _memmove.LIBCMT ref: 00D27D66
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D79834
                                        • __itow.LIBCMT ref: 00D7984C
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D79874
                                        • __itow.LIBCMT ref: 00D79885
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$__itow$_memmove
                                        • String ID:
                                        • API String ID: 2983881199-0
                                        • Opcode ID: 69be661891ca7b98d9454caa9fdc18eb4ef1e30657d81032c323955debefeb9a
                                        • Instruction ID: c793bba3583a8cbfc836579737ce7231a3e9070a6531454b0147c5068d459e1a
                                        • Opcode Fuzzy Hash: 69be661891ca7b98d9454caa9fdc18eb4ef1e30657d81032c323955debefeb9a
                                        • Instruction Fuzzy Hash: BF21DA72700304ABDB209BA59C96EEEBBA8DF4A714F0C4075FD08DB251E6708D4587F2
                                        Function 00D212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D2134D
                                        • SelectObject.GDI32(?,00000000), ref: 00D2135C
                                        • BeginPath.GDI32(?), ref: 00D21373
                                        • SelectObject.GDI32(?,00000000), ref: 00D2139C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: cc7df9d74e204f5e351423ab6c8f561c4e0733cb8e97ab5fb79b1f814642936e
                                        • Instruction ID: 521835088bbfdb37b66bdc784762ff997ce017e52bc813b716eea184d12d386d
                                        • Opcode Fuzzy Hash: cc7df9d74e204f5e351423ab6c8f561c4e0733cb8e97ab5fb79b1f814642936e
                                        • Instruction Fuzzy Hash: F4214C70800354EBDB10EF65EC847697BA9FB313A5F588266F810DA2E0D371D895DBB0
                                        Function 00D7C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: 7a7490b05b0b106e1bd4c275a4946b72abcf037367a7f2f5abf93c1e99a41d00
                                        • Instruction ID: acefff5e5c090206d27d571b269afb7a0ad49ba147a43bcccd74c73b475543f5
                                        • Opcode Fuzzy Hash: 7a7490b05b0b106e1bd4c275a4946b72abcf037367a7f2f5abf93c1e99a41d00
                                        • Instruction Fuzzy Hash: F20192A26143157FE214B7209C42EBB679CDB213A4B888139FD0996287FA50DE1586F1
                                        Function 00D84D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00D84D5C
                                        • __beginthreadex.LIBCMT ref: 00D84D7A
                                        • MessageBoxW.USER32(?,?,?,?), ref: 00D84D8F
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D84DA5
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D84DAC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                        • String ID:
                                        • API String ID: 3824534824-0
                                        • Opcode ID: 61c3193dab75c86179a3a93ec63aa7477b8ef65cc66600490c9673f8b4ca4c6d
                                        • Instruction ID: 8916100cd89e27b9b7309948182636bef2a277d0dc0604f7c975dabd48c08b27
                                        • Opcode Fuzzy Hash: 61c3193dab75c86179a3a93ec63aa7477b8ef65cc66600490c9673f8b4ca4c6d
                                        • Instruction Fuzzy Hash: 741104B2904349BFCB01ABA89C48A9A7FACEB45324F1842A5FA14D7390D671CD448BB0
                                        Function 00D7874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D78766
                                        • GetLastError.KERNEL32(?,00D7822A,?,?,?), ref: 00D78770
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00D7822A,?,?,?), ref: 00D7877F
                                        • RtlAllocateHeap.NTDLL(00000000,?,00D7822A), ref: 00D78786
                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D7879D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 883493501-0
                                        • Opcode ID: 0e44d1aeaccfd25b4ee4d87c627c192a3eadf269db7f813afab6bd06b2240b68
                                        • Instruction ID: 2feb1619e4d4b5adeeb1da8fc3d1cc44155c9866764567ec09b0b73a8270213d
                                        • Opcode Fuzzy Hash: 0e44d1aeaccfd25b4ee4d87c627c192a3eadf269db7f813afab6bd06b2240b68
                                        • Instruction Fuzzy Hash: 91014B71240304EFDB244FAADC8CD6B7BACEF8A3557244469F84AC2260EA318C00DAB0
                                        Function 00D854E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D85502
                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D85510
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D85518
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D85522
                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D8555E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                        • String ID:
                                        • API String ID: 2833360925-0
                                        • Opcode ID: 177cbc7cb8915508440912467fce36fb13f8248d850a537adc9323c39ef1778e
                                        • Instruction ID: 4ead34fd111c00c9c2f362e3f4b155ce63705ed965451578970d7c4a240e12c0
                                        • Opcode Fuzzy Hash: 177cbc7cb8915508440912467fce36fb13f8248d850a537adc9323c39ef1778e
                                        • Instruction Fuzzy Hash: 13010935D00A19DBCF00AFE9E849AEDBBB9FB0A711F440196E981F2244DB3096548BB1
                                        Function 00D77652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.COMBASE ref: 00D7766F
                                        • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00D7768A
                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D7758C,80070057,?,?), ref: 00D77698
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00D776A8
                                        • CLSIDFromString.COMBASE(?,?), ref: 00D776B4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                        • String ID:
                                        • API String ID: 3897988419-0
                                        • Opcode ID: 0da409cd7b9f8111a5b869f10119658d23392cc91435efd3aa1fa846788a7d13
                                        • Instruction ID: 1e1f279ab8d9116da49a1cfb75fb420cb9f58e22550974897dae9955cfaf8ada
                                        • Opcode Fuzzy Hash: 0da409cd7b9f8111a5b869f10119658d23392cc91435efd3aa1fa846788a7d13
                                        • Instruction Fuzzy Hash: 9001B1B6600704ABDB105F68DC04AAE7BACEB45751F244568FD08D2325E735DD0087B0
                                        Function 00D785F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D78608
                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D78612
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D78621
                                        • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00D78628
                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D7863E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 47921759-0
                                        • Opcode ID: 0e1c0a7cf56489159c276727b7c7caef34e4c184a344612400cecedf75c84cad
                                        • Instruction ID: 0e52120cc1f4b50b8c3a0041a06bd31a45a295aa343876842fb63226a3a163ac
                                        • Opcode Fuzzy Hash: 0e1c0a7cf56489159c276727b7c7caef34e4c184a344612400cecedf75c84cad
                                        • Instruction Fuzzy Hash: 84F03731241304BFEB200FE5DC8DF6B3BACEF8A755B044469F949C6250DBA19D41EA70
                                        Function 00D78652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D78669
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D78673
                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D78682
                                        • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00D78689
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D7869F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 47921759-0
                                        • Opcode ID: 8dcf1243442595abf87f61023998eb18e75985ccd881929cc89e5da8d89a02cf
                                        • Instruction ID: 55126f16c6095ce1951de585bd98c0ba03b962935957914e8d84687f6ee6b3fb
                                        • Opcode Fuzzy Hash: 8dcf1243442595abf87f61023998eb18e75985ccd881929cc89e5da8d89a02cf
                                        • Instruction Fuzzy Hash: EAF06271240304BFEB211FA5EC8DE6B3BACEF8A765B140065F949C6250DBB1DD41EA71
                                        Function 00D7C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00D7C6BA
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00D7C6D1
                                        • MessageBeep.USER32(00000000), ref: 00D7C6E9
                                        • KillTimer.USER32(?,0000040A), ref: 00D7C705
                                        • EndDialog.USER32(?,00000001), ref: 00D7C71F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                        • String ID:
                                        • API String ID: 3741023627-0
                                        • Opcode ID: c770f1fee5736ac0004d22a769a94c576c81c2b919d2f2a931ad668f7df20fb0
                                        • Instruction ID: 38e2d6d36b2eb1b84eb2e1a716b8e5aca8a20e46f33f1226a481fb138e36f5e7
                                        • Opcode Fuzzy Hash: c770f1fee5736ac0004d22a769a94c576c81c2b919d2f2a931ad668f7df20fb0
                                        • Instruction Fuzzy Hash: 3401A230410704ABEB245F60DC8EF9677B8FF01705F0856ADF586E11E1EBE0A9548FA0
                                        Function 00D213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • EndPath.GDI32(?), ref: 00D213BF
                                        • StrokeAndFillPath.GDI32(?,?,00D5BAD8,00000000,?), ref: 00D213DB
                                        • SelectObject.GDI32(?,00000000), ref: 00D213EE
                                        • DeleteObject.GDI32 ref: 00D21401
                                        • StrokePath.GDI32(?), ref: 00D2141C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                        • String ID:
                                        • API String ID: 2625713937-0
                                        • Opcode ID: 5a387ed1290f2f0231142bfe67ab20bf336322858c58ef1d3733bb830f350819
                                        • Instruction ID: 79ab2c61ac99aed8ab7b93bff86570f026fdea0e328bf105f3eadabff2782f79
                                        • Opcode Fuzzy Hash: 5a387ed1290f2f0231142bfe67ab20bf336322858c58ef1d3733bb830f350819
                                        • Instruction Fuzzy Hash: 21F01934000348EBDB156F66EC8C7583BA5AB213AAF88C264E569C82F1C7318996DF34
                                        Function 00D78E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D78E7F
                                        • CloseHandle.KERNEL32(?), ref: 00D78E94
                                        • CloseHandle.KERNEL32(?), ref: 00D78E9C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00D78EA5
                                        • HeapFree.KERNEL32(00000000), ref: 00D78EAC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                        • String ID:
                                        • API String ID: 3751786701-0
                                        • Opcode ID: 80f7f5428d584a31650d47e6c84be9048a3f1a0d99b1d92f127c07c0858a4a65
                                        • Instruction ID: e7de055c18cd9c1b36b00658ce387305da00cd0340a9d27c2879358b5c8166a9
                                        • Opcode Fuzzy Hash: 80f7f5428d584a31650d47e6c84be9048a3f1a0d99b1d92f127c07c0858a4a65
                                        • Instruction Fuzzy Hash: 44E0C236104201FFDB011FE1EC0C90ABB69FB9A322B108270F259C1270CB32A421DB60
                                        Function 00D8C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 00D8C69D
                                        • CoCreateInstance.COMBASE(00DB2D6C,00000000,00000001,00DB2BDC,?), ref: 00D8C6B5
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                        • CoUninitialize.COMBASE ref: 00D8C922
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                        • String ID: .lnk
                                        • API String ID: 2683427295-24824748
                                        • Opcode ID: fdf4d5cb7576e1d88d6c6d6d07a4baffca4389c7b75256677d0202999f014f7a
                                        • Instruction ID: 2cee53fc4af7bc22d626f58b0b21d2c4ddbe24b0882af2e34e616fbd28343a8f
                                        • Opcode Fuzzy Hash: fdf4d5cb7576e1d88d6c6d6d07a4baffca4389c7b75256677d0202999f014f7a
                                        • Instruction Fuzzy Hash: 41A12C71108315AFD700EF54D892EABB7E8EF94708F00495CF196971A2EB70EA49CB72
                                        Function 00D32E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D40FF6: std::exception::exception.LIBCMT ref: 00D4102C
                                          • Part of subcall function 00D40FF6: __CxxThrowException@8.LIBCMT ref: 00D41041
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00D27BB1: _memmove.LIBCMT ref: 00D27C0B
                                        • __swprintf.LIBCMT ref: 00D3302D
                                        Strings
                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D32EC6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                        • API String ID: 1943609520-557222456
                                        • Opcode ID: 5544639a080be191324b046ca0ccb17be68ba0fcf2ebb9cf0273e80ee83933f5
                                        • Instruction ID: fa3b0d7237d2063c6e7aa7b79888a9062f8b247c2e63553042409cef20415676
                                        • Opcode Fuzzy Hash: 5544639a080be191324b046ca0ccb17be68ba0fcf2ebb9cf0273e80ee83933f5
                                        • Instruction Fuzzy Hash: 86917A311083119FC728EF24E996C6EB7A4EF95754F04491DF4869B2A5DA30EE44CBB2
                                        Function 00D4524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00D452DD
                                          • Part of subcall function 00D50340: __87except.LIBCMT ref: 00D5037B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__87except__start
                                        • String ID: pow
                                        • API String ID: 2905807303-2276729525
                                        • Opcode ID: 055ca615ffab3399cf31d2b76e1ac3434fe71e1ee73881ef5c0019e5da51354f
                                        • Instruction ID: a29d3155dc1bd474795b8618e24a0067dbe47e0bd49ab247bd0c571bb483f191
                                        • Opcode Fuzzy Hash: 055ca615ffab3399cf31d2b76e1ac3434fe71e1ee73881ef5c0019e5da51354f
                                        • Instruction Fuzzy Hash: 5F517921A09701C7DF117B24E98137E2F94DB40751F288959ECC5862EFEE74CCD89A76
                                        Function 00D4023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$+
                                        • API String ID: 0-2552117581
                                        • Opcode ID: c4a67789bdddb72954a72f0d0381a101c18338b8e10f437388dd1c0c8c96507c
                                        • Instruction ID: 0790cc0295ab9513b81fbb51cb18fbcc846b2a7a2cdadc2a0d0f8121af8bb1d5
                                        • Opcode Fuzzy Hash: c4a67789bdddb72954a72f0d0381a101c18338b8e10f437388dd1c0c8c96507c
                                        • Instruction Fuzzy Hash: 1F513335504256CFCF25DF28E489AFA7BA4EF2A310F1C8055EC959B2A4E7B09C42C772
                                        Function 00DA7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00DA76D0
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00DA76E4
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DA7708
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window
                                        • String ID: SysMonthCal32
                                        • API String ID: 2326795674-1439706946
                                        • Opcode ID: ce32dfad760ae054098112bc0d14dddc8036c9c0f6ccb83cb4b1b981d8f59310
                                        • Instruction ID: a3b860d37d546dc365387bc8fd7f9eccc852b597ce2ebee000c45273d48a3c68
                                        • Opcode Fuzzy Hash: ce32dfad760ae054098112bc0d14dddc8036c9c0f6ccb83cb4b1b981d8f59310
                                        • Instruction Fuzzy Hash: FB21D132600218BBDF11DFA4CC42FEA3B79EF49724F150254FE15AB1D0D6B1A8508BB0
                                        Function 00DA6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DA6FAA
                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DA6FBA
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DA6FDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend$MoveWindow
                                        • String ID: Listbox
                                        • API String ID: 3315199576-2633736733
                                        • Opcode ID: cd9f192d0dfa780b25424c718983a077f100800acaa37fb1d975743c272d408f
                                        • Instruction ID: bd4a7f3099bcc74212c674ce2bc9f6c9545d9797e61b243c7e7f0a7bb87654bf
                                        • Opcode Fuzzy Hash: cd9f192d0dfa780b25424c718983a077f100800acaa37fb1d975743c272d408f
                                        • Instruction Fuzzy Hash: FA219232610218BFDF119F54DC85EAB37AAEF8A764F098124F9149B190C671EC518BB0
                                        Function 00DA797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DA79E1
                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DA79F6
                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DA7A03
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: msctls_trackbar32
                                        • API String ID: 3850602802-1010561917
                                        • Opcode ID: 1e3abb3f029d629781a776a522254682c51397fc7a02c452ff9ceb4e0929c6e1
                                        • Instruction ID: dab53e6566b275a204a81ef5bf7415f108e7cfca7e8d3d6526599f41f53a5e36
                                        • Opcode Fuzzy Hash: 1e3abb3f029d629781a776a522254682c51397fc7a02c452ff9ceb4e0929c6e1
                                        • Instruction Fuzzy Hash: F011C132244208BAEF109F64CC05FEB77A9EF8A768F064529FA45A6191D271D811CB70
                                        Function 00D9C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00D61D88,?), ref: 00D9C312
                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D9C324
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                        • API String ID: 2574300362-1816364905
                                        • Opcode ID: b10d02b10c9e9ff86a951be73a146ecdbe5e5d60932fa2f6272872e07c384ca0
                                        • Instruction ID: c2370c6dc9652074e299f68ddd76d5d32f88ee18572985066767a4e7615783c5
                                        • Opcode Fuzzy Hash: b10d02b10c9e9ff86a951be73a146ecdbe5e5d60932fa2f6272872e07c384ca0
                                        • Instruction Fuzzy Hash: BFE08C70220703CFDF204F65C804A8676E4EB0A755B84947AE895C2360E770D840CA70
                                        Function 00D24C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00D24C2E), ref: 00D24CA3
                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D24CB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                        • API String ID: 2574300362-192647395
                                        • Opcode ID: 6b69acac6e63f5691a9a51aec11ec4f50d0eacbb2479650dae4b15d7ab91215b
                                        • Instruction ID: 0272aed44db0f9ae3b683764af2746f404209b17c844393310b7e4ef079170fe
                                        • Opcode Fuzzy Hash: 6b69acac6e63f5691a9a51aec11ec4f50d0eacbb2479650dae4b15d7ab91215b
                                        • Instruction Fuzzy Hash: 8ED0C770500323CFC7209FB4EA08602B2E4AF02780B1488BAD882C2290EA70C880CA30
                                        Function 00D24D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00D24CE1,?), ref: 00D24DA2
                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D24DB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                        • API String ID: 2574300362-1355242751
                                        • Opcode ID: e96ec9b60fc7d106ce60d984738eae781e45f123fa49fd39fd268aee5a1e62df
                                        • Instruction ID: f08d2b1d84e31f71617ae8fa44d9e0533742b6d766cae49a3c9657c18e556098
                                        • Opcode Fuzzy Hash: e96ec9b60fc7d106ce60d984738eae781e45f123fa49fd39fd268aee5a1e62df
                                        • Instruction Fuzzy Hash: A6D01731550723CFD7209FB1E848A8676E4AF16369B15C8BAD8C6D6290EB70D880CA70
                                        Function 00D24D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00D24D2E,?,00D24F4F,?,00DE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D24D6F
                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D24D81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                        • API String ID: 2574300362-3689287502
                                        • Opcode ID: 17a3b3da593df2e22cc18a87b8ef89d3941a8a2d8db98a14dc9a3cfc77e17013
                                        • Instruction ID: 8898b6391fcb08abac2626a62df36e5ebae454cb8cb249b225c29fc49650e544
                                        • Opcode Fuzzy Hash: 17a3b3da593df2e22cc18a87b8ef89d3941a8a2d8db98a14dc9a3cfc77e17013
                                        • Instruction Fuzzy Hash: AAD01731510723CFD7209FB1E84865676E8AF26356B19C8BAD886D6390E670D880CA70
                                        Function 00DA1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00DA12C1), ref: 00DA1080
                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DA1092
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 2574300362-4033151799
                                        • Opcode ID: 23e26691ae828cc204e3ef5b626006f4f89a920f74647d19f1539da0ad88b3fe
                                        • Instruction ID: cb2eb879ec685fd0e5fcc9b020ffa63d7bbbb4cef7ed1adb058aabb4c80e3d24
                                        • Opcode Fuzzy Hash: 23e26691ae828cc204e3ef5b626006f4f89a920f74647d19f1539da0ad88b3fe
                                        • Instruction Fuzzy Hash: 9CD0E236510712CFD7209FB5D958A1A7AE4AF06365B168C6AA4CADA250E770C8808A64
                                        Function 00D993F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00D99009,?,00DAF910), ref: 00D99403
                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D99415
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetModuleHandleExW$kernel32.dll
                                        • API String ID: 2574300362-199464113
                                        • Opcode ID: dc941b81254871c33a15d8d79b45034ba75b3e24c39a52cf5526a306b726d06d
                                        • Instruction ID: 6dff9bc5ed0bfa3291a81c6489e07a5223c175f4c4ead6aa9454dacca3eee97e
                                        • Opcode Fuzzy Hash: dc941b81254871c33a15d8d79b45034ba75b3e24c39a52cf5526a306b726d06d
                                        • Instruction Fuzzy Hash: F1D0C734510313CFCB309FB8C908202B2E4AF22351B04C87EE482C2690E670C880CB30
                                        Function 00D776C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 968aada68a3507e40f670eae5f111cb06f402d96a97f58721fc1772da51e160e
                                        • Instruction ID: 2ae6b068ea2fb5b6c5dc59ba896d59a4532780441b78b5c45f020bcc5b50f68c
                                        • Opcode Fuzzy Hash: 968aada68a3507e40f670eae5f111cb06f402d96a97f58721fc1772da51e160e
                                        • Instruction Fuzzy Hash: 25C19175A04216EFDB14CF98C884EAEB7F5FF48710B158999E909EB251E730DE41CBA0
                                        Function 00D9E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?), ref: 00D9E3D2
                                        • CharLowerBuffW.USER32(?,?), ref: 00D9E415
                                          • Part of subcall function 00D9DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D9DAD9
                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00D9E615
                                        • _memmove.LIBCMT ref: 00D9E628
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                        • String ID:
                                        • API String ID: 3659485706-0
                                        • Opcode ID: 92e9a729550e77848ffb206d1d3cabb2b3f0737940b3b60c6b418dd07d2d3bcd
                                        • Instruction ID: 4b0d1ca105322acbf390b0329d04f4c7684a2c363275f699b0e25cae2a1d8095
                                        • Opcode Fuzzy Hash: 92e9a729550e77848ffb206d1d3cabb2b3f0737940b3b60c6b418dd07d2d3bcd
                                        • Instruction Fuzzy Hash: 2BC16C71A083119FCB14DF28C48096ABBE4FF98718F18896DF8999B351D731E945CFA2
                                        Function 00D983A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 00D983D8
                                        • CoUninitialize.COMBASE ref: 00D983E3
                                          • Part of subcall function 00D7DA5D: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00D7DAC5
                                        • VariantInit.OLEAUT32(?), ref: 00D983EE
                                        • VariantClear.OLEAUT32(?), ref: 00D986BF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                        • String ID:
                                        • API String ID: 780911581-0
                                        • Opcode ID: 45d7924f56323d56a5da9bf9939e56483077b5ab1ccc2b5531c2efd333e30729
                                        • Instruction ID: 3e60c0954917ed8ac48bf6399a78448e26bccb506d2a1d58031c348da8db477e
                                        • Opcode Fuzzy Hash: 45d7924f56323d56a5da9bf9939e56483077b5ab1ccc2b5531c2efd333e30729
                                        • Instruction Fuzzy Hash: 95A148752047119FDB10DF24C891A2AB7E5FF99724F08484DF99A9B3A2CB30ED44DB62
                                        Function 00D77A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                        Download Yara Rule
                                        APIs
                                        • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00D77C32
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00D77C4A
                                        • CLSIDFromProgID.COMBASE(?,?), ref: 00D77C6F
                                        • _memcmp.LIBCMT ref: 00D77C90
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FromProg$FreeTask_memcmp
                                        • String ID:
                                        • API String ID: 314563124-0
                                        • Opcode ID: 4beb02e2cfd6928e4c3bbeb099be793fe652b00c55e96ab516ed70d9bb77519c
                                        • Instruction ID: e00713ce2c0613f5e60654e0b0294191ad349037f60f311fdb42e2acb4f10010
                                        • Opcode Fuzzy Hash: 4beb02e2cfd6928e4c3bbeb099be793fe652b00c55e96ab516ed70d9bb77519c
                                        • Instruction Fuzzy Hash: 34811B75A00109EFCB04DF94C984EEEB7B9FF89315F248598F516AB250DB71AE06CB60
                                        Function 00D76DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Variant$AllocClearCopyInitString
                                        • String ID:
                                        • API String ID: 2808897238-0
                                        • Opcode ID: 883e15eb5b6f9425ca0104c7943a17a24649e562c0de6e1e7fcc48a00d03e8f9
                                        • Instruction ID: e4e35f803cacd55acff6e1095bffed0f45107794618a4eef9f61dd953a1fff87
                                        • Opcode Fuzzy Hash: 883e15eb5b6f9425ca0104c7943a17a24649e562c0de6e1e7fcc48a00d03e8f9
                                        • Instruction Fuzzy Hash: 995161206087019ADB24AF65E895A6EF7A5EF49310F24CC1FE59ECB291FB70D8409B35
                                        Function 00DA9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(010AED58,?), ref: 00DA9AD2
                                        • ScreenToClient.USER32(00000002,00000002), ref: 00DA9B05
                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00DA9B72
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$ClientMoveRectScreen
                                        • String ID:
                                        • API String ID: 3880355969-0
                                        • Opcode ID: 41f8c058b0bbe122c68ca176230bb600689717ab5645e383025b62edc13503e2
                                        • Instruction ID: d92b8b5402b50a93b34956133a68710c226284ab0aeefdf46453cb342984c8af
                                        • Opcode Fuzzy Hash: 41f8c058b0bbe122c68ca176230bb600689717ab5645e383025b62edc13503e2
                                        • Instruction Fuzzy Hash: F1511A35A00249AFCF10DF68D8D09AEBBB6EB56360F188159F9159B2A0D730AD41CBB0
                                        Function 00D8BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D8BB09
                                        • GetLastError.KERNEL32(?,00000000), ref: 00D8BB2F
                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D8BB54
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D8BB80
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                        • String ID:
                                        • API String ID: 3321077145-0
                                        • Opcode ID: 687453c3fcb720a1feaa19e17ee18a875c81ac697f1fd5f8e04875bb55c5afca
                                        • Instruction ID: c7a4415c6500798561b6d3c840401d25597e8ed1185aac3d1c81ef64f66c58bb
                                        • Opcode Fuzzy Hash: 687453c3fcb720a1feaa19e17ee18a875c81ac697f1fd5f8e04875bb55c5afca
                                        • Instruction Fuzzy Hash: 47413B39600620DFDB10EF25D595A1DBBE1EF59324F098489E84A9B362CB31FD41CBB1
                                        Function 00DA8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                        Download Yara Rule
                                        APIs
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DA8B4D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: InvalidateRect
                                        • String ID:
                                        • API String ID: 634782764-0
                                        • Opcode ID: 7c1a1d77a9a429e5613abe050be54d9f1ce72a4d931e822abffea7c2e438079e
                                        • Instruction ID: 9bcec589ddccc29893b0f669b22ed191a6f7c5013b5cf18b83f933a319ce5eff
                                        • Opcode Fuzzy Hash: 7c1a1d77a9a429e5613abe050be54d9f1ce72a4d931e822abffea7c2e438079e
                                        • Instruction Fuzzy Hash: AE31AFB4601314BEEB249F58CC85FA937A5EB07350F284912FE55D62E1DF30E940AB71
                                        Function 00DAADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 00DAAE1A
                                        • GetWindowRect.USER32(?,?), ref: 00DAAE90
                                        • PtInRect.USER32(?,?,00DAC304), ref: 00DAAEA0
                                        • MessageBeep.USER32(00000000), ref: 00DAAF11
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Rect$BeepClientMessageScreenWindow
                                        • String ID:
                                        • API String ID: 1352109105-0
                                        • Opcode ID: 1729525e5431e68caf2aefdbe7a9a147bf66dd2d0cf95715a205cac67e7d894e
                                        • Instruction ID: 4a967318bf7565f62b1884c609c6239650ca8a2dffede4f2c0c2547f80418ba4
                                        • Opcode Fuzzy Hash: 1729525e5431e68caf2aefdbe7a9a147bf66dd2d0cf95715a205cac67e7d894e
                                        • Instruction Fuzzy Hash: E54148716002199FCB12DF58C884A69BBF5FF4A340F1882A9F814CB351D731EA01CBB2
                                        Function 00D80FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00D81037
                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00D81053
                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00D810B9
                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00D8110B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: aa7687e303ad08f1c0c3dae7af4578bc8eb8f3c68a8ed508b7ad0e8121a49bcf
                                        • Instruction ID: e50877fa55ec05541c84b8502783d38601fe659fd89c0129625396526c71374d
                                        • Opcode Fuzzy Hash: aa7687e303ad08f1c0c3dae7af4578bc8eb8f3c68a8ed508b7ad0e8121a49bcf
                                        • Instruction Fuzzy Hash: 17313734E40688AEFB30AB65CC09BF9BBADAB45310F0C435AE584921D1C37589CE9771
                                        Function 00D81121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00D81176
                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00D81192
                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00D811F1
                                        • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00D81243
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: c268a1242a216b6cc99ab1e2c643ae0f126f30d24e7c2f8d070b2f11dff69493
                                        • Instruction ID: 8023370c7dd4a1e2d9fd0ff00590046dbad985d72794f8530a9644d0ccf6e8c3
                                        • Opcode Fuzzy Hash: c268a1242a216b6cc99ab1e2c643ae0f126f30d24e7c2f8d070b2f11dff69493
                                        • Instruction Fuzzy Hash: 01312874D407186AEF30ABA5CC09BFA7BAEEB4A310F08435AE585921D1C334895E9775
                                        Function 00D56415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D5644B
                                        • __isleadbyte_l.LIBCMT ref: 00D56479
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D564A7
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D564DD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                        • String ID:
                                        • API String ID: 3058430110-0
                                        • Opcode ID: f36bb4e3cda2377c8e78bee4c25cf50ebc680fbf006a2827de6b2e8d4ea75292
                                        • Instruction ID: a3bf7123a0b107bc386ecc6cdee206069dccca32dba0013724a9941f02d79195
                                        • Opcode Fuzzy Hash: f36bb4e3cda2377c8e78bee4c25cf50ebc680fbf006a2827de6b2e8d4ea75292
                                        • Instruction Fuzzy Hash: CE31E13160824AAFDF218F74C844BAA7BA5FF41352F594529EC54872A0EB31D898DBB0
                                        Function 00DA5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 00DA5189
                                          • Part of subcall function 00D8387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D83897
                                          • Part of subcall function 00D8387D: GetCurrentThreadId.KERNEL32 ref: 00D8389E
                                          • Part of subcall function 00D8387D: AttachThreadInput.USER32(00000000,?,00D852A7), ref: 00D838A5
                                        • GetCaretPos.USER32(?), ref: 00DA519A
                                        • ClientToScreen.USER32(00000000,?), ref: 00DA51D5
                                        • GetForegroundWindow.USER32 ref: 00DA51DB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                        • String ID:
                                        • API String ID: 2759813231-0
                                        • Opcode ID: 49cfe17ed860ebaf0ee6f0ed349989d344e5195dfecf80698cf7ce19d3731991
                                        • Instruction ID: 1e00e4c359607bc877a1b4afef10803470525158c6516525a4a9d25933dc4f40
                                        • Opcode Fuzzy Hash: 49cfe17ed860ebaf0ee6f0ed349989d344e5195dfecf80698cf7ce19d3731991
                                        • Instruction Fuzzy Hash: BE31F872D00218AFDB00EFA5D995AEFB7F9EF99304F10406AE415E7241EA759A05CBB0
                                        Function 00D40BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        • __setmode.LIBCMT ref: 00D40BF2
                                          • Part of subcall function 00D25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D87B20,?,?,00000000), ref: 00D25B8C
                                          • Part of subcall function 00D25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D87B20,?,?,00000000,?,?), ref: 00D25BB0
                                        • _fprintf.LIBCMT ref: 00D40C29
                                        • OutputDebugStringW.KERNEL32(?), ref: 00D76331
                                          • Part of subcall function 00D44CDA: _flsall.LIBCMT ref: 00D44CF3
                                        • __setmode.LIBCMT ref: 00D40C5E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                        • String ID:
                                        • API String ID: 521402451-0
                                        • Opcode ID: c72555b41241d09fa351278ef51df91eb85dbcda5a4ac62e635e536bfb64bb1b
                                        • Instruction ID: 024760397186a32339327071a91b475a368c86117f98274c5563389bd3ea8121
                                        • Opcode Fuzzy Hash: c72555b41241d09fa351278ef51df91eb85dbcda5a4ac62e635e536bfb64bb1b
                                        • Instruction Fuzzy Hash: 44113632904214BFDB04B7B4AC83EBEBB69DF45320F18411AF204A7192EE319D8697B5
                                        Function 00D78B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D78652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D78669
                                          • Part of subcall function 00D78652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D78673
                                          • Part of subcall function 00D78652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D78682
                                          • Part of subcall function 00D78652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00D78689
                                          • Part of subcall function 00D78652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D7869F
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D78BEB
                                        • _memcmp.LIBCMT ref: 00D78C0E
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D78C44
                                        • HeapFree.KERNEL32(00000000), ref: 00D78C4B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                        • String ID:
                                        • API String ID: 2182266621-0
                                        • Opcode ID: 37c20ec713ed7f8ae161732512f2d7e88360d9b48359c3cb264fa001f19583a9
                                        • Instruction ID: 59f06eb83548b233e57becf17c3aaf9fb945962b19de0390ebe41bd8303929e7
                                        • Opcode Fuzzy Hash: 37c20ec713ed7f8ae161732512f2d7e88360d9b48359c3cb264fa001f19583a9
                                        • Instruction Fuzzy Hash: D2217F71E41208EFDB10DF94C949BEEB7B8EF44355F198099E458A7240EB31AA05DB71
                                        Function 00D91A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D91A97
                                          • Part of subcall function 00D91B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D91B40
                                          • Part of subcall function 00D91B21: InternetCloseHandle.WININET(00000000), ref: 00D91BDD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Internet$CloseConnectHandleOpen
                                        • String ID:
                                        • API String ID: 1463438336-0
                                        • Opcode ID: 2a59df1c75f347a2472dc1000abcff7c2c4bfa854fd40eb921822c493921b5ca
                                        • Instruction ID: 24aa47b432547f7a4ff1de6b2cbe3717466931da195f5a2deb19ca241ac82c96
                                        • Opcode Fuzzy Hash: 2a59df1c75f347a2472dc1000abcff7c2c4bfa854fd40eb921822c493921b5ca
                                        • Instruction Fuzzy Hash: 68219F39200602BFDF129FA08C01FBAB7AEFF45705F14451AFA5296650EB71D8119BB0
                                        Function 00D7E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D7F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00D7E1C4,?,?,?,00D7EFB7,00000000,000000EF,00000119,?,?), ref: 00D7F5BC
                                          • Part of subcall function 00D7F5AD: lstrcpyW.KERNEL32(00000000,?,?,00D7E1C4,?,?,?,00D7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D7F5E2
                                          • Part of subcall function 00D7F5AD: lstrcmpiW.KERNEL32(00000000,?,00D7E1C4,?,?,?,00D7EFB7,00000000,000000EF,00000119,?,?), ref: 00D7F613
                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00D7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D7E1DD
                                        • lstrcpyW.KERNEL32(00000000,?,?,00D7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D7E203
                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00D7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D7E237
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpylstrlen
                                        • String ID: cdecl
                                        • API String ID: 4031866154-3896280584
                                        • Opcode ID: d45c30690d1699b4fbf3e96e100d1a13d45e4e72b41264e44eb50622a7582cb5
                                        • Instruction ID: fcd7a37742389003d2f47bd4a11a681b317fdd24a083a18d9babf5e300100042
                                        • Opcode Fuzzy Hash: d45c30690d1699b4fbf3e96e100d1a13d45e4e72b41264e44eb50622a7582cb5
                                        • Instruction Fuzzy Hash: 1F118E3A200345EFCB25AF64D84597A77A8FF89350B44816AE80ACB2A1FB71985197B4
                                        Function 00D55332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00D55351
                                          • Part of subcall function 00D4594C: __FF_MSGBANNER.LIBCMT ref: 00D45963
                                          • Part of subcall function 00D4594C: __NMSG_WRITE.LIBCMT ref: 00D4596A
                                          • Part of subcall function 00D4594C: RtlAllocateHeap.NTDLL(01090000,00000000,00000001), ref: 00D4598F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: 2904a6cc3fff3e406e38cdfa480abe570d2ffbaeea24fbad457f3cc06e87e90b
                                        • Instruction ID: 1ec3350016a3e70b24f28a305a64b5208de92c5633b06f38469f6ffe866d5dab
                                        • Opcode Fuzzy Hash: 2904a6cc3fff3e406e38cdfa480abe570d2ffbaeea24fbad457f3cc06e87e90b
                                        • Instruction Fuzzy Hash: 69110132805B05AFEF223F70FC6561D3B98DF013E2B18042AFD49AA191DB718944A7B0
                                        Function 00D24531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D24560
                                          • Part of subcall function 00D2410D: _memset.LIBCMT ref: 00D2418D
                                          • Part of subcall function 00D2410D: _wcscpy.LIBCMT ref: 00D241E1
                                          • Part of subcall function 00D2410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D241F1
                                        • KillTimer.USER32(?,00000001,?,?), ref: 00D245B5
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D245C4
                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D5D6CE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                        • String ID:
                                        • API String ID: 1378193009-0
                                        • Opcode ID: bbef6153646e54d6073dcd1d3e22a56fcdeb1156c37007a482a4a52172f4c03f
                                        • Instruction ID: 094d2a86dfac167926689dcddd4370d35bda77609222a24e0db8047d7f2a266f
                                        • Opcode Fuzzy Hash: bbef6153646e54d6073dcd1d3e22a56fcdeb1156c37007a482a4a52172f4c03f
                                        • Instruction Fuzzy Hash: 3C210A705043989FEB329B24D845BE7BBED9F11309F04009DEEDE96241C7B45A898B71
                                        Function 00D78AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D78B2A
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00D78B31
                                        • CloseHandle.KERNEL32(00000004), ref: 00D78B4B
                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D78B7A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                        • String ID:
                                        • API String ID: 2621361867-0
                                        • Opcode ID: 586a7169662d4ff3b8fe665bf9b8a66a0dfb76fa3c41dfc411badd7750f62748
                                        • Instruction ID: bcb6a707fe455c05153c70894ff3ead6ae0343863239dabbdd31c1fef8d5ee2b
                                        • Opcode Fuzzy Hash: 586a7169662d4ff3b8fe665bf9b8a66a0dfb76fa3c41dfc411badd7750f62748
                                        • Instruction Fuzzy Hash: 5E1159B2540209ABDF018FA4ED49FDA7BA9EF09305F088064FE08E2160D7769D61AB70
                                        Function 00D9667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D87B20,?,?,00000000), ref: 00D25B8C
                                          • Part of subcall function 00D25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D87B20,?,?,00000000,?,?), ref: 00D25BB0
                                        • gethostbyname.WS2_32(?), ref: 00D966AC
                                        • WSAGetLastError.WS2_32(00000000), ref: 00D966B7
                                        • _memmove.LIBCMT ref: 00D966E4
                                        • inet_ntoa.WS2_32(?), ref: 00D966EF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                        • String ID:
                                        • API String ID: 1504782959-0
                                        • Opcode ID: 67a2ef6b706a5f4536b0714462f7230cf50b5d7c2e4a3b9b9cab05ebc5843e7a
                                        • Instruction ID: 534731daa65e48df4618e899258d073e69536eecdfc62468c5f1854997124528
                                        • Opcode Fuzzy Hash: 67a2ef6b706a5f4536b0714462f7230cf50b5d7c2e4a3b9b9cab05ebc5843e7a
                                        • Instruction Fuzzy Hash: 3F116D76900509AFCF00EBA4ED96DEEB7B8EF19714B144065F506A72A1EF30AE04DB71
                                        Function 00D79023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00D79043
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D79055
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D7906B
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D79086
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 2058c0f4f42e49b43ce440211a12ee82f43c46501b422d9c9b68a2eaacf0ca42
                                        • Instruction ID: 8e89409ae04901a2b810677d5356d5b554909b1cf90708e590673feaa798c208
                                        • Opcode Fuzzy Hash: 2058c0f4f42e49b43ce440211a12ee82f43c46501b422d9c9b68a2eaacf0ca42
                                        • Instruction Fuzzy Hash: D4112E7A901218FFDB11DFA5CD85E9DFB78FB48710F204095E904B7250D6716E50DBA4
                                        Function 00D81652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D801FD,?,00D81250,?,00008000), ref: 00D8166F
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00D801FD,?,00D81250,?,00008000), ref: 00D81694
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D801FD,?,00D81250,?,00008000), ref: 00D8169E
                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,00D801FD,?,00D81250,?,00008000), ref: 00D816D1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CounterPerformanceQuerySleep
                                        • String ID:
                                        • API String ID: 2875609808-0
                                        • Opcode ID: 22a8142805f80c45d8956661a9a768be50ef09a385405ca44e9b67cea4df425b
                                        • Instruction ID: e1261b9ec9a3eb94938c243394277bc185f56613cdf3098ede2c29a515e1193f
                                        • Opcode Fuzzy Hash: 22a8142805f80c45d8956661a9a768be50ef09a385405ca44e9b67cea4df425b
                                        • Instruction Fuzzy Hash: 4A114835C00618D7CF00AFA5D84AAEEBB78FF09711F094096E9C0B6240DB3195668BB6
                                        Function 00D57207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                        • String ID:
                                        • API String ID: 3016257755-0
                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                        • Instruction ID: e04aa46cd066d123fabe56f25992aa41a550193efb1da2f4e5408722a5ac7172
                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                        • Instruction Fuzzy Hash: 5201803204414ABBCF125E84EC01CEE3F22BF19346F288515FE1858031C237C9B9ABA5
                                        Function 00DAB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00DAB59E
                                        • ScreenToClient.USER32(?,?), ref: 00DAB5B6
                                        • ScreenToClient.USER32(?,?), ref: 00DAB5DA
                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DAB5F5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClientRectScreen$InvalidateWindow
                                        • String ID:
                                        • API String ID: 357397906-0
                                        • Opcode ID: 6cc7765d6aa8c05e119a3b10e145060874a7caffa1876f2e5e4175f176febae9
                                        • Instruction ID: 1a1279ba40a61207fff6518c52577e648d4f68e98a0a2499b86a45d063bd083c
                                        • Opcode Fuzzy Hash: 6cc7765d6aa8c05e119a3b10e145060874a7caffa1876f2e5e4175f176febae9
                                        • Instruction Fuzzy Hash: 451146B5D00209EFDB41CFA9C4849EEFBB5FB09310F144166E954E3620D735AA558FA0
                                        Function 00DAB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00DAB8FE
                                        • _memset.LIBCMT ref: 00DAB90D
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00DE7F20,00DE7F64), ref: 00DAB93C
                                        • CloseHandle.KERNEL32 ref: 00DAB94E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _memset$CloseCreateHandleProcess
                                        • String ID:
                                        • API String ID: 3277943733-0
                                        • Opcode ID: d0f8230142f45abe433ea5a3b112a735561dd5b2eef8b3b9b4b258b990bd23b4
                                        • Instruction ID: 3ac83b2710d82b87f31351c97a458f548cfd4e373e10a0c5e738eaf1a858f236
                                        • Opcode Fuzzy Hash: d0f8230142f45abe433ea5a3b112a735561dd5b2eef8b3b9b4b258b990bd23b4
                                        • Instruction Fuzzy Hash: C6F05EB26443807BE7503BA5AC45FBB3A5CEF09354F000061FA08D9392D7715D0087B8
                                        Function 00D86E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00D86E88
                                          • Part of subcall function 00D8794E: _memset.LIBCMT ref: 00D87983
                                        • _memmove.LIBCMT ref: 00D86EAB
                                        • _memset.LIBCMT ref: 00D86EB8
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00D86EC8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                        • String ID:
                                        • API String ID: 48991266-0
                                        • Opcode ID: 59eb4230849e4788bd5803ffeb59b238f30457577f9c844237597ea92a217f0e
                                        • Instruction ID: 613468ede5ad2bd2578c286af41c7d7cf699f1a4343980d440101ad1ad4ab9b5
                                        • Opcode Fuzzy Hash: 59eb4230849e4788bd5803ffeb59b238f30457577f9c844237597ea92a217f0e
                                        • Instruction Fuzzy Hash: 47F0543A200200ABCF417F55DC85F49BB29EF45320B048061FE089E226C731E951DBB4
                                        Function 00DAC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D2134D
                                          • Part of subcall function 00D212F3: SelectObject.GDI32(?,00000000), ref: 00D2135C
                                          • Part of subcall function 00D212F3: BeginPath.GDI32(?), ref: 00D21373
                                          • Part of subcall function 00D212F3: SelectObject.GDI32(?,00000000), ref: 00D2139C
                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DAC030
                                        • LineTo.GDI32(00000000,?,?), ref: 00DAC03D
                                        • EndPath.GDI32(00000000), ref: 00DAC04D
                                        • StrokePath.GDI32(00000000), ref: 00DAC05B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                        • String ID:
                                        • API String ID: 1539411459-0
                                        • Opcode ID: 50aff797fed84edd409bb7c24c36d30ec7f9b210121dc2e17d9e25d64dc03052
                                        • Instruction ID: b17f57656875bafcf2b1350d9d9c96a00825aeb060a80b106a8ca5b5f4116ffd
                                        • Opcode Fuzzy Hash: 50aff797fed84edd409bb7c24c36d30ec7f9b210121dc2e17d9e25d64dc03052
                                        • Instruction Fuzzy Hash: 07F05E32001359FBDB226F94AC0AFCE3F59AF16321F448040FA11A52E2C7B55551CBB9
                                        Function 00D7A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D7A399
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D7A3AC
                                        • GetCurrentThreadId.KERNEL32 ref: 00D7A3B3
                                        • AttachThreadInput.USER32(00000000), ref: 00D7A3BA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                        • String ID:
                                        • API String ID: 2710830443-0
                                        • Opcode ID: fd03c448076ec3f1ba5870b7d36559bd3582b4fdc70c36c59e05eb714ab76440
                                        • Instruction ID: 2163d96de0f6db787c0cc8b17e8eaf4fb980c25a8507b181d77745bfb8ae03b4
                                        • Opcode Fuzzy Hash: fd03c448076ec3f1ba5870b7d36559bd3582b4fdc70c36c59e05eb714ab76440
                                        • Instruction Fuzzy Hash: 9AE0A531545328BADB206FE6DC0DEDB7E5CEF167A2F088065B509D51A0D67185409BB1
                                        Function 00D22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000008), ref: 00D22231
                                        • SetTextColor.GDI32(?,000000FF), ref: 00D2223B
                                        • SetBkMode.GDI32(?,00000001), ref: 00D22250
                                        • GetStockObject.GDI32(00000005), ref: 00D22258
                                        • GetWindowDC.USER32(?,00000000), ref: 00D5C0D3
                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D5C0E0
                                        • GetPixel.GDI32(00000000,?,00000000), ref: 00D5C0F9
                                        • GetPixel.GDI32(00000000,00000000,?), ref: 00D5C112
                                        • GetPixel.GDI32(00000000,?,?), ref: 00D5C132
                                        • ReleaseDC.USER32(?,00000000), ref: 00D5C13D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                        • String ID:
                                        • API String ID: 1946975507-0
                                        • Opcode ID: f66df04e3edff0bc7576edef76b0a9d10e0afb436945d216c8999250452e4cef
                                        • Instruction ID: bf728575e878f47b388f711db90b13719b4a37a62e14df3e32bfc82a96d88b8a
                                        • Opcode Fuzzy Hash: f66df04e3edff0bc7576edef76b0a9d10e0afb436945d216c8999250452e4cef
                                        • Instruction Fuzzy Hash: 23E0A532604744EADB215BA8EC09B987B14AB16336F1483A6FA69981E1C67249949B32
                                        Function 00D78C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 00D78C63
                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00D7882E), ref: 00D78C6A
                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D7882E), ref: 00D78C77
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00D7882E), ref: 00D78C7E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CurrentOpenProcessThreadToken
                                        • String ID:
                                        • API String ID: 3974789173-0
                                        • Opcode ID: e49e2acdb62af85413c7ae8fa1a2a884900a11571021d3fc49ca56ba82870645
                                        • Instruction ID: 30fef0e8e26bd9d8c4e79cb14674d75d211aea643ddf71b82b5c980d86fadc26
                                        • Opcode Fuzzy Hash: e49e2acdb62af85413c7ae8fa1a2a884900a11571021d3fc49ca56ba82870645
                                        • Instruction Fuzzy Hash: 8CE04F366423219BD7205FF16D0CB963BA8EF52792F088868A245C9040EA3484419B71
                                        Function 00D62187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 00D62187
                                        • GetDC.USER32(00000000), ref: 00D62191
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D621B1
                                        • ReleaseDC.USER32(?), ref: 00D621D2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 6489f091d23ba94f0573cba809988f937b3cbaf6ebcd1e17cb38b7cd4a7ba507
                                        • Instruction ID: 4328c9abc2c63b479de2f4254388063209b7467b3750c9a955dd8dec9b45473c
                                        • Opcode Fuzzy Hash: 6489f091d23ba94f0573cba809988f937b3cbaf6ebcd1e17cb38b7cd4a7ba507
                                        • Instruction Fuzzy Hash: FBE0EEB5800714EFDB119FA0D808AADBBB1EB5D351F148469F99AE7320CB7885429F61
                                        Function 00D6219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 00D6219B
                                        • GetDC.USER32(00000000), ref: 00D621A5
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D621B1
                                        • ReleaseDC.USER32(?), ref: 00D621D2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: bc28aa5a215cce1e5cde01fa3f9ff23973fdddb63eb4cf7c0dd657a5c38efd23
                                        • Instruction ID: 910790a757d19ad7e94e4736c4886e657646e5435a3cbc400d42c227431e6339
                                        • Opcode Fuzzy Hash: bc28aa5a215cce1e5cde01fa3f9ff23973fdddb63eb4cf7c0dd657a5c38efd23
                                        • Instruction Fuzzy Hash: B0E012B5C00314AFCB219FB0D80869DBBF1EB5D311F148069F95AE7320CB7895419F60
                                        Function 00D7B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleSetContainedObject.OLE32(?,00000001), ref: 00D7B981
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ContainedObject
                                        • String ID: AutoIt3GUI$Container
                                        • API String ID: 3565006973-3941886329
                                        • Opcode ID: 4d165007b43caca38278e75660110f8364df38ce254673889ee37ce92772e18a
                                        • Instruction ID: 3b9c5eda10e0cba1dc1f858b32d1a561288f8b3ee869f9131b8134d8189585f0
                                        • Opcode Fuzzy Hash: 4d165007b43caca38278e75660110f8364df38ce254673889ee37ce92772e18a
                                        • Instruction Fuzzy Hash: EA913B706006019FDB24DF64C895B66BBF9FF48710F14856EE94ACB791EB71E844CB60
                                        Function 00D8B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D3FEC6: _wcscpy.LIBCMT ref: 00D3FEE9
                                          • Part of subcall function 00D29997: __itow.LIBCMT ref: 00D299C2
                                          • Part of subcall function 00D29997: __swprintf.LIBCMT ref: 00D29A0C
                                        • __wcsnicmp.LIBCMT ref: 00D8B298
                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00D8B361
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                        • String ID: LPT
                                        • API String ID: 3222508074-1350329615
                                        • Opcode ID: dae3469b50d87729799f3298fcf611de514ee39394fb8ad80f0a076cffcb13c4
                                        • Instruction ID: beedfc951f3fe577c98f801de323b9e01851a8327db0ac2ec3d1fe9e59f69db8
                                        • Opcode Fuzzy Hash: dae3469b50d87729799f3298fcf611de514ee39394fb8ad80f0a076cffcb13c4
                                        • Instruction Fuzzy Hash: 2E618475A00215EFCB14EF98C891EAEB7B4EF08320F15405AF546AB391DB70AE44CB70
                                        Function 00D32AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 00D32AC8
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00D32AE1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: GlobalMemorySleepStatus
                                        • String ID: @
                                        • API String ID: 2783356886-2766056989
                                        • Opcode ID: e8be47cb992eaa43d7d8df52e0919e758a19795ad62bec0e4facad90ab710461
                                        • Instruction ID: 8eda361ff646a3129fda0d51f5bc2a9172e0c7f1548595d9544dc2974805292e
                                        • Opcode Fuzzy Hash: e8be47cb992eaa43d7d8df52e0919e758a19795ad62bec0e4facad90ab710461
                                        • Instruction Fuzzy Hash: C75149714187559BD320AF10EC96BAFBBE8FF94314F42485DF1D9811A5DB308929CB36
                                        Function 00D899BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D2506B: __fread_nolock.LIBCMT ref: 00D25089
                                        • _wcscmp.LIBCMT ref: 00D89AAE
                                        • _wcscmp.LIBCMT ref: 00D89AC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: _wcscmp$__fread_nolock
                                        • String ID: FILE
                                        • API String ID: 4029003684-3121273764
                                        • Opcode ID: 465cca313eebda343bcd0177f9c13cf2b28e992aa5f1a9decf0dea04bf7e4853
                                        • Instruction ID: 4ab8370ca5917e5f468264490b3012b988f8c8e5f4d5ad7eb28321f545a9bcfb
                                        • Opcode Fuzzy Hash: 465cca313eebda343bcd0177f9c13cf2b28e992aa5f1a9decf0dea04bf7e4853
                                        • Instruction Fuzzy Hash: 4841C871A00619BBDF20AAA4EC86FEFBBBDDF45714F040069F940A7185DA75AA0487B1
                                        Function 00D92882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D92892
                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D928C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CrackInternet_memset
                                        • String ID: |
                                        • API String ID: 1413715105-2343686810
                                        • Opcode ID: 3d8f78f828c4848265aafddd47296a4b3eee27fc01b2291b420cfa39b97ebb9d
                                        • Instruction ID: e0f6709d33038021c681f7cb4ee707db8c1578353930c69a81550b31abdc29aa
                                        • Opcode Fuzzy Hash: 3d8f78f828c4848265aafddd47296a4b3eee27fc01b2291b420cfa39b97ebb9d
                                        • Instruction Fuzzy Hash: BC311971C00119AFCF11AFA1DC85EEEBFB9FF18304F144069F815A6166EA319A56DBB0
                                        Function 00DA6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?,?), ref: 00DA6D86
                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00DA6DC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$DestroyMove
                                        • String ID: static
                                        • API String ID: 2139405536-2160076837
                                        • Opcode ID: 082cc5d04885053d12ca535691c477f594fe5834d1f50afd4dcd401a4048b0d7
                                        • Instruction ID: bae4f7df32ae9f93caaf1da9aefa8cfbac08fa9073dbc36664b43715ca0ba8cc
                                        • Opcode Fuzzy Hash: 082cc5d04885053d12ca535691c477f594fe5834d1f50afd4dcd401a4048b0d7
                                        • Instruction Fuzzy Hash: E2319C71200204AEDB109F78CC80AFB77A9FF49764F188619F9A6D7190CA31EC91CB70
                                        Function 00D82D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D82E00
                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D82E3B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: InfoItemMenu_memset
                                        • String ID: 0
                                        • API String ID: 2223754486-4108050209
                                        • Opcode ID: 9dee53035c2e3b507816f87ecd5fb6b9db6bcc13fe3aa6631692798d77b7f18d
                                        • Instruction ID: c9a75f6883f6fde389919a0b935e7b32ab341e870b38a3fe70021636d505f08b
                                        • Opcode Fuzzy Hash: 9dee53035c2e3b507816f87ecd5fb6b9db6bcc13fe3aa6631692798d77b7f18d
                                        • Instruction Fuzzy Hash: 6031E971A00309ABEB26EF59C885BBEBBB5FF05350F180069F985D61A0D7709944CB74
                                        Function 00DA6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DA69D0
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DA69DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: Combobox
                                        • API String ID: 3850602802-2096851135
                                        • Opcode ID: 75b421506bbfaf33b73324a147c32f4332268658f4271ce4f2cbec96aad0af0d
                                        • Instruction ID: 603502abe113041846cf7d72f1bfc9d3f1bce4b4f642100469103bb1e642046d
                                        • Opcode Fuzzy Hash: 75b421506bbfaf33b73324a147c32f4332268658f4271ce4f2cbec96aad0af0d
                                        • Instruction Fuzzy Hash: 6111BF71600208AFEF119F24CC80EEB376EEB9A3A4F194129F9589B290D671DC518BB0
                                        Function 00DA6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D21D73
                                          • Part of subcall function 00D21D35: GetStockObject.GDI32(00000011), ref: 00D21D87
                                          • Part of subcall function 00D21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D21D91
                                        • GetWindowRect.USER32(00000000,?), ref: 00DA6EE0
                                        • GetSysColor.USER32(00000012), ref: 00DA6EFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                        • String ID: static
                                        • API String ID: 1983116058-2160076837
                                        • Opcode ID: f4661766a28001005b435fe7b326bbbfff2a7b10bbfe789f1b31ef420f48d9a8
                                        • Instruction ID: 3c55051832a831bde142c8aad1fee78008f820a7c803666e4e2a78d66ba2450c
                                        • Opcode Fuzzy Hash: f4661766a28001005b435fe7b326bbbfff2a7b10bbfe789f1b31ef420f48d9a8
                                        • Instruction Fuzzy Hash: 32212976610209AFDB04DFB8DD45AEA7BB8FB09314F044629FA55D3250D634E8619B60
                                        Function 00DA6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextLengthW.USER32(00000000), ref: 00DA6C11
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00DA6C20
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: LengthMessageSendTextWindow
                                        • String ID: edit
                                        • API String ID: 2978978980-2167791130
                                        • Opcode ID: d62e61de7ad8bb4642b255663288fc61bc245e93ff119361c31acc2f81da95f7
                                        • Instruction ID: e16d19cfa2a5e050726ea9651e1ad6a4acfe6a547dbeebb8552cefe37147ed5f
                                        • Opcode Fuzzy Hash: d62e61de7ad8bb4642b255663288fc61bc245e93ff119361c31acc2f81da95f7
                                        • Instruction Fuzzy Hash: 48118C71500208EBEB109F64DC41AEB3B6AEB16378F284B24F9A1D71E0C775DC919B70
                                        Function 00D82E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00D82F11
                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00D82F30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: InfoItemMenu_memset
                                        • String ID: 0
                                        • API String ID: 2223754486-4108050209
                                        • Opcode ID: b45494ac3d363053d9f65f06423b2f396fa225adab8b931614bd398bed416f55
                                        • Instruction ID: b793a9437b1db0cdda40e11bf14dd39481216209607bce1275f256bbbebc2335
                                        • Opcode Fuzzy Hash: b45494ac3d363053d9f65f06423b2f396fa225adab8b931614bd398bed416f55
                                        • Instruction Fuzzy Hash: 79118E31901254ABDB21FB59DC44FB977B9EF15350F1800A6F994A72A0D7B0ED04C7B5
                                        Function 00D924CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D92520
                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D92549
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Internet$OpenOption
                                        • String ID: <local>
                                        • API String ID: 942729171-4266983199
                                        • Opcode ID: 9a77ee9ac2b2d30f3017c197d872c8fb72e0bb88e3f4ad2d66271b7369ce583b
                                        • Instruction ID: 2272f19998e332159cf443115eef6b11db2eac82ee6f4a4ab2d563ef69cd6a99
                                        • Opcode Fuzzy Hash: 9a77ee9ac2b2d30f3017c197d872c8fb72e0bb88e3f4ad2d66271b7369ce583b
                                        • Instruction Fuzzy Hash: CA11CEB0501225BEDF248F618C99EFBFFA8FF16761F11812AF94586140D270A985DAF0
                                        Function 00D980A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D9830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00D980C8,?,00000000,?,?), ref: 00D98322
                                        • inet_addr.WS2_32(00000000), ref: 00D980CB
                                        • htons.WS2_32(00000000), ref: 00D98108
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWidehtonsinet_addr
                                        • String ID: 255.255.255.255
                                        • API String ID: 2496851823-2422070025
                                        • Opcode ID: 41d52ab90887139d30b080f44d36f23f8f6594e2c981241940166ff71de6155b
                                        • Instruction ID: 32610271aefd6587d6a54109ab1a0d3de630d95fd1cdef8fc350a4f5cd1c0bd5
                                        • Opcode Fuzzy Hash: 41d52ab90887139d30b080f44d36f23f8f6594e2c981241940166ff71de6155b
                                        • Instruction Fuzzy Hash: E811CE34600305ABCF20AFA4DC46FADB324EF05720F108526E915A7291DA32A81196B1
                                        Function 00D792E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00D7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D7B0E7
                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D79355
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 372448540-1403004172
                                        • Opcode ID: f87d223e9109d17e7eea7d1ae5d36efe977a8539b2fc4ba9974d1f02fe5dc0b9
                                        • Instruction ID: b4b6c1967748dae274bce608ef02c98bbcc6450ce430451a3d4d4c06af0e0b01
                                        • Opcode Fuzzy Hash: f87d223e9109d17e7eea7d1ae5d36efe977a8539b2fc4ba9974d1f02fe5dc0b9
                                        • Instruction Fuzzy Hash: 1E01F571A05224ABCB04EBA0DCA2CFEB369FF16320B14461AF976573D1EB31580C8770
                                        Function 00D791DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00D7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D7B0E7
                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00D7924D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 372448540-1403004172
                                        • Opcode ID: e0a3aad22f7b26906ac4735575b1220650e8e901857f6ef24711077f0a192496
                                        • Instruction ID: 1ed3ad212564306fd24f2bb5d84d24767d01e1b10abdd1db0033136d2c0889e0
                                        • Opcode Fuzzy Hash: e0a3aad22f7b26906ac4735575b1220650e8e901857f6ef24711077f0a192496
                                        • Instruction Fuzzy Hash: A101D871A451047BCB14F7A0D9A2EFFB3A8DF15310F144056B516632D2EA216E0C8271
                                        Function 00D79264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D27F41: _memmove.LIBCMT ref: 00D27F82
                                          • Part of subcall function 00D7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D7B0E7
                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00D792D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 372448540-1403004172
                                        • Opcode ID: f8ad74119894d4e799cf578574c4dd983371511025ee1493558aae295946cc37
                                        • Instruction ID: af070d7104d7f154d4eabe4420a901586f12fbc60348ca2d98839d535202b838
                                        • Opcode Fuzzy Hash: f8ad74119894d4e799cf578574c4dd983371511025ee1493558aae295946cc37
                                        • Instruction Fuzzy Hash: CB01A772A451147BCF14F7A0D9A2EFFB7ACDF11310F544116B916732C2EA215E0C9675
                                        Function 00D851CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: ClassName_wcscmp
                                        • String ID: #32770
                                        • API String ID: 2292705959-463685578
                                        • Opcode ID: 52f3e9f510a5601ef2574099a3baf130276fc43017dcd50ee82d5fe969bd6bbf
                                        • Instruction ID: 16a443c1c4c8af3beec0323f2059d45e029b75a0839a5616dcc4dfa32db7397c
                                        • Opcode Fuzzy Hash: 52f3e9f510a5601ef2574099a3baf130276fc43017dcd50ee82d5fe969bd6bbf
                                        • Instruction Fuzzy Hash: 54E0613250032C1BD310A799AC45FA7FBACEB41731F000157FD50D3140D560990587F0
                                        Function 00D781BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D781CA
                                          • Part of subcall function 00D43598: _doexit.LIBCMT ref: 00D435A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: Message_doexit
                                        • String ID: AutoIt$Error allocating memory.
                                        • API String ID: 1993061046-4017498283
                                        • Opcode ID: 70f3119d4d6d7296c86d841e0d82e8e4199e5999f61baff52fea0030193d0122
                                        • Instruction ID: ea089dbfad7236204c6093120ac16c5aba95e7115cd35edefc8d25ee9e2cfb94
                                        • Opcode Fuzzy Hash: 70f3119d4d6d7296c86d841e0d82e8e4199e5999f61baff52fea0030193d0122
                                        • Instruction Fuzzy Hash: 77D017362C532836D21432A96D0BBCAAA888B15B56F484026BB08956D38AD299C242B9
                                        Function 00D5B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00D5B564: _memset.LIBCMT ref: 00D5B571
                                          • Part of subcall function 00D40B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00DE5158,00000000,00DE5144,00D5B540,?,?,?,00D2100A), ref: 00D40B89
                                        • IsDebuggerPresent.KERNEL32(?,?,?,00D2100A), ref: 00D5B544
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D2100A), ref: 00D5B553
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D5B54E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 3158253471-631824599
                                        • Opcode ID: f58415777b6aed63425811147df0947e9a3a7342e7eda52279ef9e1ad08d3e1d
                                        • Instruction ID: 772a03f8c916597437ae9ecbbaf49ae228c77902d540f4159ccca8828e4fe516
                                        • Opcode Fuzzy Hash: f58415777b6aed63425811147df0947e9a3a7342e7eda52279ef9e1ad08d3e1d
                                        • Instruction Fuzzy Hash: B4E06D702003118FDB25DF68E5047427BE4EB00755F04896DE996C7361E7B4D408CB71
                                        Function 00DA5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DA5BF5
                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00DA5C08
                                          • Part of subcall function 00D854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D8555E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1283217070.0000000000D21000.00000040.00000001.01000000.00000004.sdmp, Offset: 00D20000, based on PE: true
                                        • Associated: 00000005.00000002.1283196136.0000000000D20000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DD5000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000DDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E00000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283217070.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283484401.0000000000E37000.00000080.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1283502188.0000000000E50000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_d20000_prgNb8YFEA.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 81b791cdebe14e57b15b2be01c22a1070461ba421941d04fedceddea583f0292
                                        • Instruction ID: d8ba5f90f47a73fc588089c4f2350b8d44f6e458928e7b3d9f7db8f385b6eb75
                                        • Opcode Fuzzy Hash: 81b791cdebe14e57b15b2be01c22a1070461ba421941d04fedceddea583f0292
                                        • Instruction Fuzzy Hash: 8CD0C931788311BAE764BBB4EC4BF976A54AB01B51F040865B655EA2D0D9E4A800C670